HIPAA law and celebrity

One of the most important responsibilities of health care workers and hospitals is to protect the privacy of the patients for whom they care. Unfortunately, in the case of George Clooney’s recent hospitalization for injuries sustained in a motorcycle crash, a consequence of electronic medical records was revealed when dozens of employees, some of whom apparently leaked the information to the press, accessed Clooney’s medical records. Of course, these employees didn’t seem to realize that EMRs allow the tracking and identification of anyone who logs on to the system. Anyone who logs on leaves an electronic trail of exactly what information he or she accessed.

What irritated me as I saw this story on the news and read about it is how many people were defending the hospital employees. A typical statement came from a union representative:

“It was inappropriate but they are paying a steep price. But I don’t even think George Clooney would want people to pay. Again, the apology to him for his privacy rights [is necessary], but I think in fact the hospital is overreacting,” says Jean Oterson of the HPAA.”

Even George Clooney seems to take this line.

From my perspective, the hospital is not overreacting. Leaking confidential patient data is a violation of federal law for which the hospital and employees could be prosecuted. As for what penalties are appropriate, it depends. If an employee only accessed the information out of curiosity and didn’t leak it, then I do consider it a rather minor offense that deserves at most a suspension. However, there is a strong suspicion that at least some of these employees did leak information to the press:

Within minutes, the media seemed to know everything about Clooney’s condition, and sources tell CBS 2 HD that hospital officials are now investigating whether or not their own employees leaked information about Clooney to the media.

CBS 2 HD has learned as many as 40 employees are being investigated, and the hospital has suspended 27 employees for a month without pay after being accused of accessing Clooney’s medical records and giving that information to the press — which is a violation of federal law.

The bottom line is that any employee who can be shown to have leaked George Clooney’s medical information to the press should be fired. Period. There is no excuse for such behavior. Clooney may be magnanimous in not wanting anyone suspended and fired, but the issue raised by this behavior goes beyond his personal wishes. It goes to the heart of the responsibility of hospitals and health care workers not to compromise the privacy of their patients, and a message needs to be sent that such behavior is intolerable.