UCLA hospital fined over privacy breaches that sources say involve Michael Jackson’s records
State health regulators have fined Ronald Reagan UCLA Medical Center $95,000 for allowing unauthorized employees to view a patient’s medical records, a breach that sources indicated targeted the files of Michael Jackson.
The fine, one of six privacy-related penalties state officials announced Thursday, stems from multiple violations that led to the firing of two hospital employees. Two hospital contract workers were also fired for accessing the same patient’s information, UCLA officials said.
The state identified the person whose files were breached only as “a deceased patient.”
A source close to Jackson’s case said his legal team had previously been informed by UCLA officials that the singer’s medical files had been improperly accessed after his unexpected death June 25 last year at the age of 50. Several attorneys who work for Jackson’s estate and his family members did not immediately return calls.
UCLA officials said the breaches resulting in the fine are the only recent instances of privacy violations. The prestigious hospital has struggled to protect the privacy of its celebrity patients, including Britney Spears, Farrah Fawcett and California First Lady Maria Shriver, violations that led to the 2008 state law used to fine the hospital in the most recent case.
Jackson was pronounced dead at the Westwood hospital after being taken by ambulance from his rented Holmby Hills mansion. According to the state report, the breaches began June 30 of last year, five days after Jackson was killed by a combination of surgical anesthetic and other medication allegedly administered to him by his private doctor.
Hospital officials notified the patient’s family as soon as the breaches were discovered, said UCLA spokeswoman Dale Tate. She said the internal investigation found that no information had been sold.
“There wasn’t anything they saw that was worth selling,” Tate said. “We have systems in place that put up barriers. You’re not authorized to look at certain things. You can only go so far.”
Officials at the state’s Office of Health Information Integrity were still investigating the employees’ actions this week, spokesman Scott Murray said. The employees could potentially face criminal charges and financial penalties, he said.
California Department of Public Health officials declined to identify the UCLA patient or whether the person was well-known. Kathleen Billingsley, deputy director of the department’s Center for Health Care Quality, said she does not view celebrities any differently from other patients when it comes to medical privacy.
“Medical privacy is a fundamental right,” Billingsley said. “Every Californian treated at a hospital should not have to worry about who is viewing their medical information.”
Jackson’s medical records were the subject of intense interest in the weeks after his death. In early July, The Times reported that unauthorized staff at the Los Angeles County coroner’s office had viewed the pop star’s death certificate more than 300 times.
UCLA first reported privacy violations to the state Aug. 5, according to the report released Thursday. At that point, the university knew that an employee in the Department of Pathology and Medical Support Services had accessed the patient’s records July 2 and that a medical school employee had accessed the same patient’s records July 7. The report said the medical school employee had printed labels for the laboratory test that had been performed on the patient.
Neither employee had any reason to access the records, the report said.
On Sept. 7, hospital officials told state authorities that they had discovered more breaches of the same patient’s records by two contract employees of the hospital’s pathology billing service. One accessed the records June 30 and July 9, the other July 9, the hospital reported.
Hospital staff told state investigators the contract employees admitted looking at the records and said “they were curious.”
Tate said the hospital does not plan to appeal the fine. The medical center has 15 days to submit a plan of correction to the state.
UCLA officials said Thursday that they had made a “determined effort to train and test … employees on patient privacy laws and implemented a wide range of safeguards to ensure patient confidentiality” over the last three years.
Last year, the state Department of Public Health issued the first penalty under the privacy law, fining Kaiser Permanente’s Bellflower hospital $437,500 for failing to prevent employees from looking at the medical records of Nadya Suleman after she gave birth to octuplets.
So far, regulators have issued eight fines to six hospitals for a total $1.1 million. No hospitals have appealed.