A California jury recently decided that the University of California, Los Angeles (UCLA) Health System was not responsible for the unauthorized release of a patient’s medical records, which an attorney says sets some precedent for similar cases.

The patient, Norma Lozano, had sued UCLA for $1.25 million after an assistant in the office of a UCLA-affiliated physician used the doctor’s access code and password to view Lozano’s medical records. The assistant, Alexis Price, allegedly took photos of the records and texted them to Lozano’s ex-boyfriend. Lozano later learned that the physician, Dr. John D. Edwards, had shared the login credentials with his office staff.

After reaching the verdict, a juror told legal news website Law360 that that they couldn’t find UCLA responsible, and that its privacy protections are similar to those at other facilities.

“We are gratified that the jury paid such close attention throughout the trial, considered the evidence carefully, and correctly recognized that any release of information was the product of Dr. Edwards’s breaking UCLA’s rules and Alexis Price intending to do something malicious,” said Bryan Heckenlively, an attorney from Munger Tolles & Olson LLP who represented the university, in a statement after the verdict.

Andrew Gantt, a partner in the business department of law firm Cooley LLP and a member of its Life Sciences Practice Group, said in a news release that the jury’s decision “sets at least some precedent for limits on a plaintiff's ability to recover in situations where an employee has authorized access to information but exceeds that authorized access to engage in activities that could be privacy or security violations.”

“It took the jury only an hour to decide that since UCLA did not release the plaintiff's records, it would not be liable for the alleged harm,” Gantt said.

It came up in the trial that, usually in the case of celebrities, UCLA employs a secondary layer of security that requires entering a password a second time and specifying a reason for viewing the records. Gantt said this extra layer, called “break the glass,” might not have deterred Price from accessing the records. Other security measures, such as a biometric authentication factor, may have prevented the breach in this case, but Gantt said such a system isn’t considered the industry standard.

Gantt said the U.S. Department of Health and Human Services' Office for Civil Rights could find UCLA responsible in investigating the case as a HIPAA violation. He urged facilities to train staff in HIPAA compliance, monitor access to patient data and address possible weaknesses.

“Given the abundance of recent litigation and enforcement activity regarding the improper use or disclosure of patient data, entities such as providers and health plans that regularly interact with such data should ensure that they have taken legally required and best practice actions to safeguard the sensitive information in their possession or control,” Gantt said. “Such proactive steps can help to lessen the risk of significant fines, legal fees, and negative publicity in the event of a breach of patient data.”

The jury’s decision came more than a month after UCLA was the victim of a cyberattack that potentially put 4.5 million patients’ records at risk.

Risk Management Homepage