The University of California at Los Angeles Health System (UCLAHS) will pay $865,500 in HIPAA fines after an investigation found that its employees had been peeking at the electronic personal health information of numerous patients.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR), conducted the investigation after two separate complaints were filed on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.

“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections," said OCR Director Georgina Verdugo. "Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity."

Along with the fine, UCLAHS has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules.

The corrective action plan requires UCLAHS to implement privacy and security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over three years.

“Covered entities are responsible for the actions of their employees," said Verdugo. "This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any healthcare provider. Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”