UCLA Health System must pay $865,500 as part of a settlement with the U.S. Department of Health and Human Services (HHS) over complaints that employees snooped on the health records of two celebrities.

The violations of the Health Insurance Portability and Accountability Act (HIPAA), which occurred from 2005 to 2008, also resulted in the three-hospital system agreeing to implement a corrective action plan, according to an HHS news release from Friday.

The federal agency’s Office for Civil Rights is requiring that UCLA Health implement privacy and security policies and procedures, including the regular training of employees who access personal health information and the punishment of offenders. In addition, the health system must hire an independent auditor to assess its compliance over the next three years.

“It leaves open the door for additional potential fines if they’re not careful, and the corrective action plan has some real cost associated to it,” Cynthia Larose, a Boston-based privacy and security lawyer, told SCMagazineUS.com on Monday. “There is some real regulatory burdens associated with one of these things.”

HHS would not name which celebrities’ had their confidential records improperly accessed. But there have been several high-profile breaches at UCLA Medical Center, which resulted in a number of firings after it was discovered that employees were snooping on the medical records of Britney Spears, Farrah Fawcett and former California First Lady Maria Shriver.

The settlement, which followed a $1 million agreement involving similar violations at Massachusetts General Hospital earlier this year, lends further proof that HIPAA violations are being dealt with more seriously than ever before. This is thanks to the HITECH Act,  passed as part of the 2009 economic stimulus bill, which strengthened the protection of identifiable health information by expanding the scope of HIPAA

For example, Larose said, the HITECH amendment enabled HHS to hire additional personnel to investigate complaints of patient breaches.

A statement from UCLA Health System, emailed to SCMagazineUS.com on Monday, said the entity has spent the past three years augmenting its staff training, audit capabilities and security systems.

“Our patients’ health, privacy and well-being are of paramount importance to us,” said David Feinberg, CEO of the UCLA Hospital System and associate vice chancellor for health sciences. “We appreciate the involvement and recommendations made by (HHS) in this matter and will fully comply with the plan of correction it has formulated. We remain vigilant and proactive to ensure that our patients’ rights continue to be protected at all times.”  

Larose said settlements such as this may enable IT security teams to glean additional budget dollars to be put toward compliance. Ultimately, she said, offenders need to realize they are being watched and will get in trouble if they snoop.

“The surest way to stop that is to constantly monitor and call people out for it,” she said.

Hospitals in the Los Angeles area seem to be a hotbed of insider malfeasance because of their proximity to the entertainment industry. Numerous incidents have prompted the state of California to implement stiffer penalties.

Last year, a UCLA Health System employee was sentenced to four months in prison after pleading guilty in to illegally snooping into patient records, mainly those belonging to celebrities. Not long after, the California Department of Public Health fined five hospitals for the unauthorized prying into confidential medical records.