HIPAA law and celebrity

One of the most important responsibilities of health care workers and hospitals is to protect the privacy of the patients for whom they care. Unfortunately, in the case of George Clooney’s recent hospitalization for injuries sustained in a motorcycle crash, a consequence of electronic medical records was revealed when dozens of employees, some of whom apparently leaked the information to the press, accessed Clooney’s medical records. Of course, these employees didn’t seem to realize that EMRs allow the tracking and identification of anyone who logs on to the system. Anyone who logs on leaves an electronic trail of exactly what information he or she accessed.

What irritated me as I saw this story on the news and read about it is how many people were defending the hospital employees. A typical statement came from a union representative:

“It was inappropriate but they are paying a steep price. But I don’t even think George Clooney would want people to pay. Again, the apology to him for his privacy rights [is necessary], but I think in fact the hospital is overreacting,” says Jean Oterson of the HPAA.”

Even George Clooney seems to take this line.

From my perspective, the hospital is not overreacting. Leaking confidential patient data is a violation of federal law for which the hospital and employees could be prosecuted. As for what penalties are appropriate, it depends. If an employee only accessed the information out of curiosity and didn’t leak it, then I do consider it a rather minor offense that deserves at most a suspension. However, there is a strong suspicion that at least some of these employees did leak information to the press:

Within minutes, the media seemed to know everything about Clooney’s condition, and sources tell CBS 2 HD that hospital officials are now investigating whether or not their own employees leaked information about Clooney to the media.

CBS 2 HD has learned as many as 40 employees are being investigated, and the hospital has suspended 27 employees for a month without pay after being accused of accessing Clooney’s medical records and giving that information to the press — which is a violation of federal law.

The bottom line is that any employee who can be shown to have leaked George Clooney’s medical information to the press should be fired. Period. There is no excuse for such behavior. Clooney may be magnanimous in not wanting anyone suspended and fired, but the issue raised by this behavior goes beyond his personal wishes. It goes to the heart of the responsibility of hospitals and health care workers not to compromise the privacy of their patients, and a message needs to be sent that such behavior is intolerable.


  1. #1 Chemgeek
    October 10, 2007

    It is a matter of trust. When anyone enters a hospital, we must be able to completely trust those who care for us, medically and personally. There are rules in place to help ensure that trust. If my trust were betrayed like this, I would also want punishments handed out.

  2. #2 David Tyler
    October 10, 2007

    Mr. Clooney may be publicly gracious – how he feels personally might be another story. He would certainly have grounds for legal action against the hospital if he changes his mind. It is not OK to break the law just because the victim is not outraged. The next one might very well be. Hospital employees who don’t understand this should be working somewhere else!

  3. #3 Pinko Punko
    October 10, 2007

    Considering all those employees have to HIPAA certify CONSTANTLY, there is no excuse. This is utterly ridiculous. They do need to be suspended. When the murderer Mark Hacking went into the psych ward at the U. of Utah, there was an immediate memo sent out about not talking ot the press and no accessing of medical records because it was clear that people had immediately broken the rules. I believe several people were suspended.

  4. #4 Jared
    October 10, 2007

    I’m not advocating that these people shouldn’t have punitive action taken.

    But, HIPAA, as implemented, is a truly defective, broken system. As such, it should be ridiculed and followed only in spirit. Do I believe even the barest spirit was broken in this instance? Yes.

    What do I think should be done? Instead of suspending everyone without pay, make them work, and dock their pay down to minimum wage levels. Then, take that money that was docked, and allow George Clooney to recommend where it gets donated.

    It may not be funny, but it sure as shit isn’t sad.


  5. #5 AgnosticOracle
    October 10, 2007

    I worked as a programmer at a large hospital in the Boston area not too long ago. A lot of what I did involved software to retrieve patient records. I remember being told by one of my fellow employees that when testing our software always try use the known fake names we had in the system.

    If you need to test returning a long list of names searching for “smith” is fine. But if you click on “Will Smith” (or any other celebrity name you might see) someone will come to talk to you and it won’t be a pleasant conversation.

  6. #6 Ruth
    October 10, 2007

    I used to work at University of Michigan Cancer Center. It was made clear that looking up patient info if you had no need to know would result in dismissal. If any of us had leaked patient info, we would have been out. There is no excuse for it.

  7. #7 usagi
    October 10, 2007

    Of course Clooney is being gracious. Whatever else you may feel about him, he’s been a class act throughout his whole career. As for the people who accessed and leaked his records, hangin’s too good for them (metaphorically). Don’t forget, this wasn’t an act of charity or idle gossip. Tabloids pay large sums of money for this sort of information. The cost for violating the law and the patient’s trust has to be extremely high or there’s no real disincentive.

  8. #8 Ashley
    October 10, 2007

    I’d like to know how that union representative and others that share his opinion would feel if there EMR had been accessed and revealed potentially socially stigmatic information. Bottom line, in order for the public to be comfortable with health systems and providers converting to EMR and EHR (which arguably allow clinicians to provide more effective care) it has to know that the information is secure regardless of social or celebrity status. Although the penalties may seem harsh, the message would not get across any other way especially in this period of transition across health systems nationally.

  9. #9 jim
    October 10, 2007

    Different industry, same concept: At a large online retailer, customers expected and got privacy. Data access was on a limited basis. Even then, it was repeatedly drilled into people that access was, still, on a need to know basis. Any communications necessary to debug the retailer’s complex systems could only refer to the transaction or customer numbers, and never, ever personally identifiable information (e.g., the customers’ name, address, order, etc). Violating this was grounds for being terminated. The system worked pretty well; a lot of testing was done on our own accounts.

    I would expect the hospital to enforce the same policies.

  10. #10 Dr. Val
    October 10, 2007

    I think the breach was egregious. It is shocking that as many as 40 employees participated in the leak. Celebrities would often frequent the hospital where I used to work and many couldn’t help but be intrigued by the news – still no one I knew would ever dare to look at their medical record, or dream of speaking about it to others. If anyone had, we knew that it was grounds for termination. =

  11. #11 Rjaye
    October 10, 2007

    I worked at a hospital for fifteen years, and while people might have been curious about a “celebrity,” I couldn’t imagine anyone being so callous as to look them up on the hospital’s system and violating their privacy. If anyone did, they kept it to themselves, and I didn’t get any dirt on anyone.

    For forty or so people to have done so in one institution is mindboggling. That’s awful. They should have been fired as this is a violation of a patient, someone they are supposed to be caring for. The fact the hospital didn’t do so says much about the facility as well.

    Bleah. Society in a hand basket, I’m tellin’ ya.

  12. #12 human
    October 11, 2007

    If that many people did it in one place, my guess would be that it is at least in part a very serious training issue. That doesn’t justify the invasion of privacy in any way, but that is a lot of people to jump on that bandwagon.

    I work in a university. When I started my job, my boss explained exactly what was expected of me as regards FERPA, and cautioned me against some of the common ways private information is accidentally released, (“hallway talk,” leaving records out in an unlocked untended area, etc.)

    The hospital has a responsibility to its employees to make sure they understand what is expected in the first place, and to enforce it in the second. It sounds to me like they are not doing either.

  13. #13 Matt Penfold
    October 11, 2007

    Not only should anyone who leaked details to the media be fired, they should also be prosecuted. In addition any journalist who to whom the details were leaked and did not report the incident should also face prosecution.

  14. #14 Shawn
    October 11, 2007

    anyone concerned about their own health privacy should go to http://www.patientprivacyrights.org

  15. #15 hollywoodjaded
    October 11, 2007

    Some people in this town can’t wait to have some little gem that they can text Perez Hilton or X-17 about for their fifteen nanoseconds of internet fame. I agree with those who said the guilty should be fired. I also agree with the commenter who said that what Clooney says publicly about this incident and what he feels privately are likely two very different things indeed. I do recall when this happened and how the news (gossip), including _minute details_, was on-line in less than a half-hour of the accident occurring.

  16. #16 Jimmy
    October 11, 2007

    Clooney is being gracious, yes, but I’d bet that his sense of right and wrong when it comes to his own privacy has been warped by years of paparazzi hounding.

  17. #17 ks
    October 11, 2007

    a question and a statement.

    orac, are you against electronic medical records? it is unclear from the post, but throwing in the comment suggests you have reservations with the issue.

    it should be illegal for the press to report a story on someone’s medical condition without that person releasing the information themselves or through a representative.

  18. #18 steve
    October 12, 2007

    The reality of HIPAA is that noone has really had that severe of penalties for looking at something that they shouldnt have. Even those who have passed the info on have at the most been suspended or fired. I havent seen a single case where a healthcare worker has lost their license. Ive only seen two where jail time was passed on (The case of the guy stealing demographic info from the cancer clinic to get credit cards and the lady who was selling info about Federeal Employees. The law just doesnt seem that enforceable. Clooney may feel differently, but he’s not going to get people fired because they saw his file.

  19. #19 Jud
    October 12, 2007

    The most interesting thing to me about this thread is how many of the commenters are treating HIPAA and electronic medical records as a sui generis issue. To get some perspective, set HIPAA and electronic records aside, and ask yourself what you think would be appropriate discipline for employees who copied paper patient records and sold them to local media. Individuals have a legitimate expectation that their personal medical information will be kept confidential, regardless of the clumsiness with which HIPAA attempts to codify that expectation.

  20. #20 Dr. T
    October 13, 2007

    I was at the University of Nebraska Medical Center in the 1990s when Robert Redford’s son was admitted (under a pseudonym) for a liver transplant. Employees who recognized Robert Redford accessed and leaked information on the son. (The family went public after the leaks, which is why I can mention this incident.) All who accessed the records inappropriately were fired. This predated HIPAA, but I believe the firings were justified.

  21. #21 William Morriss
    October 13, 2007

    I’m frankly amazed that the union rep seemed to think that an apology would, in some universe, be sufficient. It doesn’t matter what Clooney says, either in public or in private, HIPAA requires that the workers be sanctioned (something I blogged about here). To say that its overreaching for someone to be suspended without pay for not only disclosing personally identifiable health information, but disclosing it to the media, is simply nuts.

    Also, as a note to the comment by steve that noone has gone to jail over a HIPAA violation, HIPAA isn’t really about sending people to jail. Indeed, HIPAA is really aimed at businesses (it covers health plans, health care clearinghouses and health care providers). Given that, it isn’t surprising that HIPAA violations don’t result in people being jailed, and the lack of jailtime doesn’t mean that it isn’t enforceable.

  22. #22 Nomen Nescio
    October 17, 2007

    as a computer programmer, i’m ambivalent about electronic medical records. however, judging by the comments here it seems HIPAA has done a great deal of good to an area where there be dragons.

    once information is digitized, there’s basically no technical way to prevent it from being copied widely. merely displaying it on a screen involves usually several copying operations, technically. but what you can easily do is accumulate more information, including about when, why, and by whom any copies were made.

    since the reason we want to restrict copying and dissemination of personal information is legal and social, it’s appropriate that the major security measures should be legal and social also. strict oversight and accountability seems to me the best approach, and i’m happy to hear it appears to be in place.

    that said, it’s worth keeping in mind that the user interface to any large computerized system is seldom the only way to get at the underlying data. there’s an old definition of a systems administrator: “the only employee who gets more access to corporate data than the CEO, even though they may be paid less than a unionized janitor”. in my day job i frequently work directly on back-end DBMSes manually, completely bypassing the entire application level with any and all logging and tracking it might have…

New comments have been temporarily disabled. Please check back soon.