UCLA Hospital Hit With HIPAA Fine On Celeb Records

← Back to Stories (view on slashdot.org)

UCLA Hospital Hit With HIPAA Fine On Celeb Records

Posted by timothy on Saturday July 9, 2011 @01:27AM from the easier-than-getting-madonna's-pap-smear dept.

Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."

37 of 57 comments (clear)

Min score:

Reason:

Sort:

Pledged to tweak their infrastructure by shoehornjob · 2011-07-09 01:55 · Score: 1

Sounds like hospital speak for slap a band aid on it and hope they don't get caught again.

--
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
1. Re:Pledged to tweak their infrastructure by ethanms · 2011-07-09 02:07 · Score: 4, Insightful
  
  I was thinking it sounds like "fire those involved and make it very clear too all remaining employees that those involved were fired and are unlikely to get another job in the medical field after being terminated for a HIPPA violation...
2. Re:Pledged to tweak their infrastructure by ethanms · 2011-07-09 02:08 · Score: 1
  
  ugg... to...
3. Re:Pledged to tweak their infrastructure by NeoMorphy · 2011-07-09 02:37 · Score: 2
  
  I agree!
  I work at a health insurance company and everyone in the company was required to take HIPPA training. It was very thorough, and I assume everyone else in the Health Industry had to go through something similar. On top of that, the pharmacy reminds you of it and whenever I see a new doctor I get to read yet more documentation regarding HIPPA and then sign it.
  The employees involved should have known they were doing something that was that was not only illegal, but that it would endanger their career.
  If you think about it, there is a lot of private data that is ultimately protected by people acting professionally and not disclosing that information to the wrong people. There is no way to proactively stop that, other than hiring the right people, doing background checks, and impressing upon them the importance of following the rules regarding privacy.
4. Re:Pledged to tweak their infrastructure by scottv67 · 2011-07-09 03:09 · Score: 1
  
  >HIPPA training
  >regarding HIPPA
  
  The training must not have been very good if you did not learn how to spell the acronym.
5. Re:Pledged to tweak their infrastructure by shoehornjob · 2011-07-09 03:14 · Score: 1
  
  Hmm... I think you just saved the company money by not putting a bandaid on the situation. Imagine if they actually had to rewrite some software to lock access to records etc. You're right, termination does work better.
  
  --
  "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
6. Re:Pledged to tweak their infrastructure by NeoMorphy · 2011-07-09 03:19 · Score: 2
  
  Argghhh!
  My apologies, you are correct.
  HIPAA(Health Insurance Portability and Accountability Act)
  For some reason I often think "Health Insurance Portability and Privacy Act", which seems more appropriate. There is a lot of emphasis on privacy, and yet it's not in the acronym. I must confess that remembering what the acronym stood for was a question I got wrong, but I got the rest right.
7. Re:Pledged to tweak their infrastructure by SonnyDog09 · 2011-07-09 15:26 · Score: 1
  
  The punishment depends on who you are. Clerks get fired. Nurses may get fired, depending on whether they are in a Union or not. They may also be suspended without pay. It varies. The last time that I really looked at this, I could not find a case of a doctor a being fired for a HIPAA (yes, that is the acronym....it has nothing to do with hippos) violation. They might be suspended without pay.
  
  --
  Your "fair share" is NOT in my wallet.
Shocked, shocked I tell you! by overshoot · 2011-07-09 02:00 · Score: 4, Insightful

Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.
Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

--
Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
1. Re:Shocked, shocked I tell you! by Mindcontrolled · 2011-07-09 02:18 · Score: 2
  
  Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.
  
  --
  Ubi solitudinem faciunt, pacem appellant.
2. Re:Shocked, shocked I tell you! by Saerko · 2011-07-09 02:36 · Score: 3, Interesting
  
  Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.
  Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.
  I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices that protect their identity.
  For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group. For all intents and purposes, she was well protected.
  The problem came in when billing entered the picture. You can't bill against a pseudonym, and the local papers broke the story soon after she delivered. Once she left the hospital, her pseudonym was replaced by her real name, and her chart was promptly accessed over 200 times by various personnel across the hospital. In the next week, five people were fired outright for unauthorized access, and about a dozen put on disciplinary action because we couldn't fully prove that their access was unnecessary, if suspect. In an ideal world, the system would have been able to bill out under the pseudonym with the identity correction occurring downstream, but people still talk and the cover would get blown eventually anyway.
  Does this anecdote have a point? I'd like to think so: it's that there's only so much mitigation you can do, but a lot of hospitals and EMR vendors could certainly do more. There will always be people like me who have god-like access by necessity though, and as long as that exists, there will always be the potential for abuse and information leaks. I think the real benefit of electronic systems is that, previously, if someone absconded with the paper chart, there was no way to tell who accessed it. Even I leave entries in the logs, and there's pretty close to no way to effectively "leave no trace" of my presence in the system. The biggest benefit of modernization is accountability, but real privacy is a pipe dream that people need to abandon.
3. Re:Shocked, shocked I tell you! by Dilaudid · 2011-07-09 04:12 · Score: 1
  
  This all seems pretty simple. You record every access, all accesses will be audited at a later stage by an oversight committee. 99% of cases are automatically handled (e.g. doctor accessing records for his patient day after admission) but cases which are not clear are reviewed. Any employee who accesses records has to explain his rationale for doing so. If the rationale doesn't hold up, they are disciplined / sacked. A warning explaining this comes up when you try to access records. I would imagine the guarantee of losing your job would curtail the curiosity of most nosy employees, and while the sacking might be post-hoc, their apprehension will be before the fact.
4. Re:Shocked, shocked I tell you! by Jawnn · 2011-07-09 04:33 · Score: 1
  
  Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.
  Well said, and artfully argued, I might add. It should be pointed out that since almost forever, medical records have lived on paper in large, poorly secured rooms. Audit trails, if they existed at all, were little more than a sign in sheet by the door. The breach that was caught and dealt with in this case would likely have gone undetected, or the perpetrators un-identified at least, before the advent of EMR. Then again, I did work in one hospital where the records of a certain class of patients were considered exceptionally sensitive and received an additional layer of security. It might be argued that the medical records of "celebrities" deserve a similar level of security. No one is likely to bribe a file clerk for access to the file on "Joe the shoe salesman", but Brittney Spears? All the time. Not that our fascination, as a society, with such celebrity details isn't sick in itself, but that's another discussion.
5. Re:Shocked, shocked I tell you! by david_thornley · 2011-07-09 04:42 · Score: 2
  
  In a civilized country, there wouldn't have to be any billing for something like a delivery.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
6. Re:Shocked, shocked I tell you! by girlintraining · 2011-07-09 05:12 · Score: 1
  
  Obvious potential for abuse, so all of the protections have to be post hoc.
  In every other case, the employee would simply be fired and have to find a new line of work. Fining the employer for an infrastructure that is working as designed only increases medical costs for everyone. Worse, I highly doubt this fine would have been levied if it had been a homeless person instead of a celebrity. Effectively we're paying for celebrity ego here.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
7. Re:Shocked, shocked I tell you! by Anonymous Coward · 2011-07-09 05:22 · Score: 1
  
  As somebody who works in the medical record field as a 'consultant', this is grossly impractical.
  Records get accessed hundreds of times a day by hundreds of people for all sorts of reasons. It be a full time effort by a good sized team of people to even begin to look into the audit logs.
  Now any good EMR suite will allow the locking of sensitive records which prevents unauthorized access such as this. However, they typically will allow a 'break the glass' scenario where anybody CAN access the record in an emergent situation, but that access is reported immediately to a supervisor.
  Either way, there are already partial solutions to this sort of thing, but there is just too much data to manage manually. Plus the real sensitive information like SS numbers, addresses, etc, are so easily accessible without even technically looking at the record with zero accountability. Lots of paper floating around still too. Basically the only solution is good training, good people, and strong policy when the first two are ineffective. No different than anything else.
8. Re:Shocked, shocked I tell you! by swalve · 2011-07-09 11:18 · Score: 1
  
  In a more civilized country, you pay for the services you consume.
And so... by Anonymous Coward · 2011-07-09 02:07 · Score: 1

This is why I'm against surveillance as a means to deal with crime.
I don't necessarily have a problem with surveillance in and of itself; but I do have a problem when humans are the ones in control of it. You simply cannot trust that everybody who has access to information will not abuse it.
Give people the opportunity to take advantage of other people, and it will happen.
1. Re:And so... by swalve · 2011-07-09 11:21 · Score: 1
  
  The only way to stop crime is to stop people from wanting to do it, and increasing the chances they get caught is one of the ways to do that. You don't want a society of people who never have had to make "should I, shouldn't I" decisions. They will all run into traffic the second the styrofoam fence develops a hole.
Re:Is that news? by ColdWetDog · 2011-07-09 02:17 · Score: 1

What is a papatatzi?
Paparazzi with a tattoo?

--
Faster! Faster! Faster would be better!
HIPAA is a travesty by Tony+Isaac · 2011-07-09 02:23 · Score: 4, Insightful

I work in the electronic medical records industry, and I can tell you that HIPAA protects your privacy about as well as those multi-page "privacy policy" letters you get from your bank and other businesses...you know, the ones that tell you, in lots of fine print, that they will do whatever they want with your information.
Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!
What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes. It also costs hospitals and doctors tons of money to comply (I know, my company is the recipient of some of that money)...and that in turn drives up the cost of health care.
HIPAA may have been created with good intentions in mind, but it is a travesty and can't be repealed fast enough!
1. Re:HIPAA is a travesty by flimflammer · 2011-07-09 02:43 · Score: 1
  
  Not saying you're bullshitting or anything but my father was hospitalized last year over a severe infection in his hand. He was so sick from it that he was out of it and unable to sign any paperwork. The doctors who saw him were very up front with me about their thoughts and fears about his health.
  Are you suggesting that they violated HIPAA by telling me? I was under the impression HIPAA was more about sharing information with non relatives, or to stop those who can access the information from accessing it without a valid reason.
2. Re:HIPAA is a travesty by Tony+Isaac · 2011-07-09 02:51 · Score: 3, Insightful
  
  You are correct, that is what HIPAA was supposed to be about. You are fortunate.
  The problem is, it all depends on how the specific doctor or hospital interprets their obligations under HIPAA. Some of them are reasonable, but others grossly exaggerate the level of privacy required by the law.
  In our business, we often have to read document after document just to try to understand the requirements. If WE have to do that, how in the world can a small doctor's office apply the law correctly? The truth is, they often make their best guess and hope the lawyers don't come after them.
3. Re:HIPAA is a travesty by Anonymous Coward · 2011-07-09 04:11 · Score: 1
  
  Regulation is intended to eliminate small and efficient competitors, see raw milk, beef industry, heck, even freaking barbers are regulated and need to study to get licensed.
  Well, barbers are more about exclusion of newcomers in terms of labor (i.e. unions), in comparison of the other examples where big business is putting hurdles for small businesses using the power of the state. Nevertheless, both have the goal of raising the bar to entry.
4. Re:HIPAA is a travesty by pete6677 · 2011-07-09 10:22 · Score: 1
  
  HIPAA does nothing more than create mountains of paperwork (or electronic forms). It makes no real difference in privacy in any meaningful way, but it sure does keep a lot of HIPAA consultants employed.
5. Re:HIPAA is a travesty by android.dreamer · 2011-07-09 22:04 · Score: 1
  
  Look, let's hypothetically say you had the case above and it turned out your father had AIDS. I wouldn't want my kids to know that. "He's ill" should really be the only thing I would want my doctors to say.
Scope matters by overshoot · 2011-07-09 02:33 · Score: 1

I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine.
You can access the sealed filings from cases all across the country?
No? Maybe that makes a difference.

--
Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
1. Re:Scope matters by Mindcontrolled · 2011-07-09 02:43 · Score: 1
  
  Ok, you got a point there - Obviously I can only access stuff inside the firm. But then again, would it really change anything? In the end, it remains a matter of my professional obligation and honor to keep my mouth shut.
  
  --
  Ubi solitudinem faciunt, pacem appellant.
2. Re:Scope matters by TheGratefulNet · 2011-07-09 02:43 · Score: 1
  
  You can access the sealed filings from cases all across the country?
  if he's lulzsec, I bet he could...
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:Scope matters by unkiereamus · 2011-07-09 07:10 · Score: 1
  
  You can access the sealed filings from cases all across the country?
  No? Maybe that makes a difference.
  I don't see the relevance here.
  
  The only thing I can figure, is that you have a vastly distorted view of EMR. I think a uncomfortably large portion of the populace has b\ought the shit that Siemens is shoveling in their ads.
  
  There isn't a vast network spanning the country of EMRs that can be accessed by anyone connected to it. Not ever spanning a city (with limited exceptions). Each hospital/dr office/whatever has their own system, with their own records. I can't work at SmallRegionalHospital and access the UCLA system,at best (And this is something of a stretch for most EMR systems), I might be able to access the records of SmallRegionalHospital'sOutreachClinic.
  
  Now, I've never worked for one of the huge healthcare corporations, so I don't know whether all of their EMR systems are linked, but I'm tempted to think that they aren't.
  
  Why?
  
  HIPAA.
  
  --
  I needed a sig so people would know who I am, but I was too drunk to make something witty, so you get this instead.
Why not jail for the offenders? by schwit1 · 2011-07-09 02:59 · Score: 1

The article states that the employees had no reason for accessing the records. How about puerile curiosity? What they didn't have was a legitimate reason.
The hospital says it needs to conduct “regular and robust” trainings for employees that access sensitive information. What a load of crap. This is the same bullshit response police departments give when cops steal your camera when you record them. Both parties knew what they were doing was wrong BEFORE they did it. The answer is serious jail time.
get rid the HMO bs and then billing will not be th by Joe_Dragon · 2011-07-09 03:07 · Score: 1

get rid the HMO bs and then billing will not be the fall point for people who don't want there real name listed.
But will they pay? by rbanzai · 2011-07-09 04:14 · Score: 1

We read about fines like this all the time but there is no follow-up to see if they are ever paid. It's similar to the drug busts where law enforcement agencies assign an arbitrary massively inflated value to the confiscated material to make themselves look good. Agencies declare these fines so they look good in the press, but are they ever actually paid? In full? On time?
Or as they say in the hospital... by tyler_larson · 2011-07-09 04:54 · Score: 1

Knock knock!
Who's there?
HIPAA.
HIPAA who?
Sorry, I'm not allowed to say.

--
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
sounds like sound risk management to me. by KingAlanI · 2011-07-09 14:50 · Score: 2

Because she's famous, it increased the risk that people would access the records unnecessarily, and this behavior seemed like a logical response to manage that risk.

--
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
Re:There's an easy solution. by MLease · 2011-07-09 19:10 · Score: 1

Hm. So being a celebrity is an offense potentially punishable by death now?
-Mike

--
I'm sorry; I don't know what I was thinking!
I hate to break this to you, but by Whuffo · 2011-07-10 00:52 · Score: 1

Much of the access to these protected records come from minimum-wage (or slightly better) data entry workers. There's a huge amount of paperwork generated for each hospital patient and they handle it all.
Imagine if you're one of these people; working long days at a keyboard for barely enough to live on - and someone offers you a significant "bonus" for giving them a copy of this or that file.
This goes on every day at your hospital, your motor vehicle licensing and driver's licensing department, etc. There's a booming market for private information; lawyers, collection agents, skip tracers, etc, etc. Each of them cultivates their own sources of inside information and pays them well.
Security theater doesn't only go on at the airport...