- 127 UCLA Medical Center employees were fired, suspended, or warned for improperly accessing celebrity medical records between 2003-2007, violating patient privacy laws. - One employee pleaded guilty to violating HIPAA but died prematurely, while investigations found prior incidents at the hospital. - UCLA was fined over $860,000 and learned it must strictly restrict medical record access and track usage, as healthcare providers are responsible for employee actions regarding patient information.

1. CONFIDENTIALITY:
UCLA AND CELEBRITY RECORDS
EDWARD STANFORD MD
MHA 690
PROF DAVID COLE
OCT 2, 2014

2. LA Times reported (2008)
“For decades, tabloids have made a cottage
industry of star ailments”
Examples:
-Dean Martin’s declining health
-Rock Hudson’s AIDS diagnosis
-Bob Hope’s final years in and out of hospitals
-Brittany Spears, Farrah Fawcett, drug overdose of Dennis Quaid’s twins, Patrick
Swayze near death
Blankenstein, A (2008)

3. Serious breech of doctor-patient
confidentiality
127 UCLA Medical Center employees were fired, suspended, and warned for viewing Social
Security numbers, health insurance information, and addresses from April 2003-May 2007.
Lawanda Jackson, 50, pleads guilty to felony charges of violating federal medical privacy law for
commercial purposes but dies prematurely (LA Times, 2009)
California Department of Public Health cites prior occurrences (Law, 2009).
Laws violated:
Health Insurance Portability Accountability Act (the “Privacy Rule”)
Confidentiality of Medical Information Act (California Civil Code -56 et seq)
Lanterman-Petris-Short Act (California Welfare & Institutions Code – 5000 et seq)
State information Practices Act (California Civil Code sections 1798 et seq)

4. UCLA Mission and Vision
“Our mission is to deliver leading-edge patient care, research, and education”
“Our vision is to heal humankind, one patient at a time, by improving health,
alleviating suffering and delivering acts of kindness” (UCLAhealth.org. 2014)
“UCLA Health System has stringent policies familiar to all employees to protect
patient confidentiality. All staff and faculty members, contractors, volunteers
and other workers are required to sign confidentiality agreements as a condition
of their employment and they complete extensive training on federal Health
Insurance Portability and Accountability Act – related privacy and security
issues” (UCLA newsroom, 2008)

5. LESSONS LEARNED
- Must restrict access to only those who MUST have patient
information access
- Must implement way to keep track of who
accesses/accessed an individual’s information
- Covered entities are responsible for the actions of their
employees
UCLA paid over $860,000 in fines
(abouthipaa.com, 2011)

6. STAFF TRAINING OUTLINE
All staff (physicians, nurses, ancillary staff) with access to patient information – MANDATORY
What is HIPAA – terms and concepts
What is health information
What is protected health information
What is electronic protected health information
Conducting a fair investigation
Zero tolerance for HIPAA patient privacy violations
Business partners must sign confidentiality agreements
Fines imposed for HIPAA violations

7. HIPAA
The HIPAA privacy provision took effect on April 14, 2003. Key privacy provisions include the following:
•Patients must be able to access their record and request correction of errors.
•Patients must be informed of how their personal information will be used.
•Patient information cannot be used for marketing purposes without the explicit consent of the involved patients.
•Patients can ask their health insurers and providers to take reasonable steps to ensure that their
communications with the patient are confidential. For instance, a patient can ask to be called at his or her work
number, instead of home or cell phone number.
•Patients can file formal privacy-related complaints to the US Department of Health and Human Services Office
for Civil Rights.
•Health insurers or providers must document their privacy procedures, but they have discretion on what to
include in their privacy procedure.
•Health insurers or providers must designate a privacy officer and train their employees.
•Providers may use patient information without patient consent for the purposes of providing treatment,
obtaining payment for services, and performing the non-treatment operational tasks of the provider’s business.
Pozgar, 2012, p 295

8. STAFF TRAINING
What is HIPAA HIPAA
Health Insurance Portability and Accountability
Act 1996
Title I Title II Title III Title IV Title V
Insurance
Portability
Tax Related
Health Provision
Revenue
Offsets
Fraud and
Abuse
Medical
Liability
Reform
Administrative
Simplification
Group Health
Plan Requirements

9. Individually Identifiable health
Information
Health Information – any that is created or received by a
health care provider, health plan, employer, or health care
clearinghouse (HIPAA, 1996)
Can involve – past, present, future physical or mental health
or condition of an individual, provision of health care, and
payments for the provision of health care (45 CFR 160.103,
DHHS, 2009)

10. Protected Health Information (PHI)
Examples:
Medical records
Billing records
Any record containing sufficient
information to identify
the individual (DHHS, 2009).
Health
Information
Individually
Identifiable
Health
Information
Protected
Health
Information
Adapted from
HHShipaasagtraining.com, 2009

11. Electronic Protected Health Information
(ePHI)
Any protected health information that is maintained in or
transmitted in electronic media

12. CONCLUSIONS
All medical providers who have any access to a patient’s
medical information should understand HIPAA
All medical providers should receive MANDATORY training
and understand a zero tolerance for violations
Only individuals who MUST have access to PHI should be
allowed access
Employers are responsible for the actions of their
employees

13. REFERENCES
AboutHIPAA (2011). Specific lessions from HIPAA privacy and security case at UCLA health system. Accessed from www.abouthipaa.com
Oct 1, 2014
Blankenstein, A Eyes on celebrity records multiply. May 20, 2008 Accessed from www.latimes.com. Oct 1, 2014.
DHHS (2009). Accessed from www.DHHS.org. Oct 1 2014.
HHShipaasagtraining (2009). Accessed from www.hhshipaasagtraining.com Oct 1, 2104.
HIPAA (1996). Accessed from www.gov.org. Oct 1, 2014.
LA Times (2009). Ex-hospital worker convicted in patient record leaks dies. Accessed from www.articles.latimes.com. Oct 1 2014.
Law, M. (2009). The celebrity California UCLA medical center scandal: Snooping on Celeb Records. Accessed from www.uslaw.com. Oct 1,
2014
Pozgar, G. D. (2012) Legal Aspects of Health Care Administration, 11th Edition. Jones & Bartlett Publishers.
UCLA (2014). Accessed from www.uclahealth.org. Oct 1, 2014.
UCLA Newsroom (2008). ULCA Health system statement on patient confidentiality. Accessed from www.newsroom.ucla.edu. Oct 1, 2014.