I am sure many of you remember the reports dating back to 2005 that celebrity patient files were being viewed by casual lookers…employees who had access to the University of California at Los Angeles (UCLA) Health System electronic medical record (EMR) but who had no legitimate reason to view those records. Well, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has entered into an agreement with UCLAHS to settle potential HIPAA violations for $865,500. Additionally, UCLA has made a commitment to correct gaps in their security, to improve their policies and procedures to better safeguard patient information, and to adequately educate their employees.
In a separate case, FierceHealthPayer reported that WellPoint will pay $100,000 to the state of Indiana because they waited several months before notifying Indiana officials of a security breach that could have exposed the data of 32,000 members.
It also will reimburse each affected member up to $50,000 for any breach-related losses as part of the settlement reached with the Indiana Attorney General. [Read more; Subscribe]
For me, the important issues here are the following:
- OCR is serious about data breaches and safeguarding patient protected health information (PHI).
- State laws are just as important as Federal law. You must know and follow those local regulations as well as HIPAA and HITECH.
- The cost of a data breach is significant and would put many small provider organizations out of business.
Have you reviewed your security and privacy practices and policies this year? Are you confident that your PHI practices are solid and that your employees are using the procedures as written? How do you review these and how do you educate your employees?
Please share your experiences and concerns about data privacy and security with us below.