You don't need celebrity patients to learn from this HIPAA mistake. If you knew Brad Pitt was getting medical treatment at your location, would you peek at his files? How about your ex-husband's new wife? Or your estranged sister? No matter whose records you're reviewing, it's illegal to take that peek unless you have a medically necessary reason to be doing so. That was a very expensive lesson that the University of California at Los Angeles Health System (UCLAHS) learned recently after agreeing to settle potential violations of the HIPAA rule for $865,500. At issue:
Not only will the hospital face the steep fine, but it must also implement a corrective action plan to fix gaps in its HIPAA compliance routine.
The lowdown:
Not only is it illegal to review a patient's PHI without having a justifiable and medically necessary reason, but medical practice owners can't simply turn a blind eye if their staff members are doing so."Covered entities are responsible for the actions of their employees," said Office of Civil Rights director Georgina Verdugo in the statement. "Employees must clearly understand that casual review for personal interest of patients' protected health information is unacceptable and against the law."
Verdugo also stressed that the OCR is always alert to HIPAA violations. "Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections," she noted. "Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity."
To read more about the UCLAHS fine, visit www.hhs.gov/news/press/2011pres/07/20110707a.html.