The UCLA Health System reached a settlement with government regulators after hospital employees broke the law by reviewing the medical records of celebrity patients without valid reason or authorization. The violations at UCLA first took place in 2008 and prompted California state legislators to pass new laws with tighter controls and stiffer penalties.
Even after the new laws took effect, the violations at UCLA continued. These violations included several security breaches involving the medical records of Michael Jackson in 2009, the same year the singer died at the Ronald Reagan UCLA Medical Center. Those violations led to a $95,000 fine against the Medical Center.
In June 2009, the Office for Civil Rights at the U.S. Department of Health and Human Services began investigating the health system because of alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The investigation revealed that UCLA employees examined private electronic records “repeatedly and without a permissible reason”.
The employees have not been named, but an administrative specialist at Ronald Reagan UCLA Medical Center was fired in 2007 after she was caught accessing Farah Fawcett’s medical records and allegedly selling information to the National Enquirer. That employee later pleaded guilty to a felony charge of violating federal medical privacy laws for commercial purposes.
Federal investigators faulted the hospital system for failing to remedy the problems, discipline staff or retrain staff. As a condition of the settlement, UCLA Health System was required to submit a plan to federal regulators detailing how officials would prevent future breaches. They agreed to retrain staff on privacy protections, formulate privacy policies, appoint a monitor to oversee improvements and report to regulators for the next three years.