The University of California at Los Angeles Health System has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 privacy and security rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules, announced the U.S. Department of Health and Human Services July 7.

The resolution agreement resolves two separate complaints filed with HHS's Office for Civil Rights on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR's investigation into the complaints revealed that from 2005 to 2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients, according to HHS.

The corrective action plan requires UCLAHS to implement privacy and security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over three years.

HHS OCR enforces the HIPAA privacy and security rules. The privacy rule gives people rights over their protected health information and sets rules and limits on uses and disclosures of that health information. The security rule protects health information in electronic form by requiring entities covered by HIPAA to implement physical, technical and administrative safeguards to ensure that individual's electronic protected health information remains private and secure.

For more information, see the August 2011 issue of the Guide to Medical Privacy & HIPAA.

The HHS Resolution Agreement and CAP can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/UCLAHSracap.pdf.