HIPAA law and celebrity

One of the most important responsibilities of health care workers and hospitals is to protect the privacy of the patients for whom they care. Unfortunately, in the case of George Clooney's recent hospitalization for injuries sustained in a motorcycle crash, a consequence of electronic medical records was revealed when dozens of employees, some of whom apparently leaked the information to the press, accessed Clooney's medical records. Of course, these employees didn't seem to realize that EMRs allow the tracking and identification of anyone who logs on to the system. Anyone who logs on leaves an electronic trail of exactly what information he or she accessed.

What irritated me as I saw this story on the news and read about it is how many people were defending the hospital employees. A typical statement came from a union representative:

"It was inappropriate but they are paying a steep price. But I don't even think George Clooney would want people to pay. Again, the apology to him for his privacy rights [is necessary], but I think in fact the hospital is overreacting," says Jean Oterson of the HPAA."

Even George Clooney seems to take this line.

From my perspective, the hospital is not overreacting. Leaking confidential patient data is a violation of federal law for which the hospital and employees could be prosecuted. As for what penalties are appropriate, it depends. If an employee only accessed the information out of curiosity and didn't leak it, then I do consider it a rather minor offense that deserves at most a suspension. However, there is a strong suspicion that at least some of these employees did leak information to the press:

Within minutes, the media seemed to know everything about Clooney's condition, and sources tell CBS 2 HD that hospital officials are now investigating whether or not their own employees leaked information about Clooney to the media.

CBS 2 HD has learned as many as 40 employees are being investigated, and the hospital has suspended 27 employees for a month without pay after being accused of accessing Clooney's medical records and giving that information to the press -- which is a violation of federal law.

The bottom line is that any employee who can be shown to have leaked George Clooney's medical information to the press should be fired. Period. There is no excuse for such behavior. Clooney may be magnanimous in not wanting anyone suspended and fired, but the issue raised by this behavior goes beyond his personal wishes. It goes to the heart of the responsibility of hospitals and health care workers not to compromise the privacy of their patients, and a message needs to be sent that such behavior is intolerable.

More like this

There have been stories and novels about the end of privacy.  1984, by George Orwell, comes to mind.  I also remember reading a science fiction short story once, about how technology had made privacy so difficult to maintain, and so accepted by society, that it was considered rude to want privacy…
I just found out via one of the mailing lists I'm on of a very disturbing case in Kermit, Texas. Two nurses who were dismayed and disturbed by a physician peddling all manner of herbal supplements reported him to the authorities. Now, they are facing jail: In a stunning display of good ol' boy…
If the 1960s film, The Graduate, were to be made today (Graduate, II: The Stimulus), the iconic scene at the party where a friend of the family takes Dustin Hoffman aside and whispers in his ear, "I have only one word for you, Plastics") would be transmogrified into, "I have only three words for…
The 9th Circuit Court of Appeals has upheld Hewlett-Packard's right to fire an employee who insisted on posting anti-gay bible verses on his office cubicle in response to the company having posters encouraging respect for diversity in the office building he worked in. The diversity campaign, as the…

It is a matter of trust. When anyone enters a hospital, we must be able to completely trust those who care for us, medically and personally. There are rules in place to help ensure that trust. If my trust were betrayed like this, I would also want punishments handed out.

Mr. Clooney may be publicly gracious - how he feels personally might be another story. He would certainly have grounds for legal action against the hospital if he changes his mind. It is not OK to break the law just because the victim is not outraged. The next one might very well be. Hospital employees who don't understand this should be working somewhere else!

Considering all those employees have to HIPAA certify CONSTANTLY, there is no excuse. This is utterly ridiculous. They do need to be suspended. When the murderer Mark Hacking went into the psych ward at the U. of Utah, there was an immediate memo sent out about not talking ot the press and no accessing of medical records because it was clear that people had immediately broken the rules. I believe several people were suspended.

I'm not advocating that these people shouldn't have punitive action taken.

But, HIPAA, as implemented, is a truly defective, broken system. As such, it should be ridiculed and followed only in spirit. Do I believe even the barest spirit was broken in this instance? Yes.

What do I think should be done? Instead of suspending everyone without pay, make them work, and dock their pay down to minimum wage levels. Then, take that money that was docked, and allow George Clooney to recommend where it gets donated.

It may not be funny, but it sure as shit isn't sad.

-j

I worked as a programmer at a large hospital in the Boston area not too long ago. A lot of what I did involved software to retrieve patient records. I remember being told by one of my fellow employees that when testing our software always try use the known fake names we had in the system.

If you need to test returning a long list of names searching for "smith" is fine. But if you click on "Will Smith" (or any other celebrity name you might see) someone will come to talk to you and it won't be a pleasant conversation.

I used to work at University of Michigan Cancer Center. It was made clear that looking up patient info if you had no need to know would result in dismissal. If any of us had leaked patient info, we would have been out. There is no excuse for it.

Of course Clooney is being gracious. Whatever else you may feel about him, he's been a class act throughout his whole career. As for the people who accessed and leaked his records, hangin's too good for them (metaphorically). Don't forget, this wasn't an act of charity or idle gossip. Tabloids pay large sums of money for this sort of information. The cost for violating the law and the patient's trust has to be extremely high or there's no real disincentive.

I'd like to know how that union representative and others that share his opinion would feel if there EMR had been accessed and revealed potentially socially stigmatic information. Bottom line, in order for the public to be comfortable with health systems and providers converting to EMR and EHR (which arguably allow clinicians to provide more effective care) it has to know that the information is secure regardless of social or celebrity status. Although the penalties may seem harsh, the message would not get across any other way especially in this period of transition across health systems nationally.

Different industry, same concept: At a large online retailer, customers expected and got privacy. Data access was on a limited basis. Even then, it was repeatedly drilled into people that access was, still, on a need to know basis. Any communications necessary to debug the retailer's complex systems could only refer to the transaction or customer numbers, and never, ever personally identifiable information (e.g., the customers' name, address, order, etc). Violating this was grounds for being terminated. The system worked pretty well; a lot of testing was done on our own accounts.

I would expect the hospital to enforce the same policies.

I think the breach was egregious. It is shocking that as many as 40 employees participated in the leak. Celebrities would often frequent the hospital where I used to work and many couldn't help but be intrigued by the news - still no one I knew would ever dare to look at their medical record, or dream of speaking about it to others. If anyone had, we knew that it was grounds for termination. =

I worked at a hospital for fifteen years, and while people might have been curious about a "celebrity," I couldn't imagine anyone being so callous as to look them up on the hospital's system and violating their privacy. If anyone did, they kept it to themselves, and I didn't get any dirt on anyone.

For forty or so people to have done so in one institution is mindboggling. That's awful. They should have been fired as this is a violation of a patient, someone they are supposed to be caring for. The fact the hospital didn't do so says much about the facility as well.

Bleah. Society in a hand basket, I'm tellin' ya.

If that many people did it in one place, my guess would be that it is at least in part a very serious training issue. That doesn't justify the invasion of privacy in any way, but that is a lot of people to jump on that bandwagon.

I work in a university. When I started my job, my boss explained exactly what was expected of me as regards FERPA, and cautioned me against some of the common ways private information is accidentally released, ("hallway talk," leaving records out in an unlocked untended area, etc.)

The hospital has a responsibility to its employees to make sure they understand what is expected in the first place, and to enforce it in the second. It sounds to me like they are not doing either.

Not only should anyone who leaked details to the media be fired, they should also be prosecuted. In addition any journalist who to whom the details were leaked and did not report the incident should also face prosecution.

By Matt Penfold (not verified) on 11 Oct 2007 #permalink

Some people in this town can't wait to have some little gem that they can text Perez Hilton or X-17 about for their fifteen nanoseconds of internet fame. I agree with those who said the guilty should be fired. I also agree with the commenter who said that what Clooney says publicly about this incident and what he feels privately are likely two very different things indeed. I do recall when this happened and how the news (gossip), including _minute details_, was on-line in less than a half-hour of the accident occurring.

By hollywoodjaded (not verified) on 11 Oct 2007 #permalink

Clooney is being gracious, yes, but I'd bet that his sense of right and wrong when it comes to his own privacy has been warped by years of paparazzi hounding.

a question and a statement.

orac, are you against electronic medical records? it is unclear from the post, but throwing in the comment suggests you have reservations with the issue.

it should be illegal for the press to report a story on someone's medical condition without that person releasing the information themselves or through a representative.

The reality of HIPAA is that noone has really had that severe of penalties for looking at something that they shouldnt have. Even those who have passed the info on have at the most been suspended or fired. I havent seen a single case where a healthcare worker has lost their license. Ive only seen two where jail time was passed on (The case of the guy stealing demographic info from the cancer clinic to get credit cards and the lady who was selling info about Federeal Employees. The law just doesnt seem that enforceable. Clooney may feel differently, but he's not going to get people fired because they saw his file.

The most interesting thing to me about this thread is how many of the commenters are treating HIPAA and electronic medical records as a sui generis issue. To get some perspective, set HIPAA and electronic records aside, and ask yourself what you think would be appropriate discipline for employees who copied paper patient records and sold them to local media. Individuals have a legitimate expectation that their personal medical information will be kept confidential, regardless of the clumsiness with which HIPAA attempts to codify that expectation.

I was at the University of Nebraska Medical Center in the 1990s when Robert Redford's son was admitted (under a pseudonym) for a liver transplant. Employees who recognized Robert Redford accessed and leaked information on the son. (The family went public after the leaks, which is why I can mention this incident.) All who accessed the records inappropriately were fired. This predated HIPAA, but I believe the firings were justified.

I'm frankly amazed that the union rep seemed to think that an apology would, in some universe, be sufficient. It doesn't matter what Clooney says, either in public or in private, HIPAA requires that the workers be sanctioned (something I blogged about here). To say that its overreaching for someone to be suspended without pay for not only disclosing personally identifiable health information, but disclosing it to the media, is simply nuts.

Also, as a note to the comment by steve that noone has gone to jail over a HIPAA violation, HIPAA isn't really about sending people to jail. Indeed, HIPAA is really aimed at businesses (it covers health plans, health care clearinghouses and health care providers). Given that, it isn't surprising that HIPAA violations don't result in people being jailed, and the lack of jailtime doesn't mean that it isn't enforceable.

as a computer programmer, i'm ambivalent about electronic medical records. however, judging by the comments here it seems HIPAA has done a great deal of good to an area where there be dragons.

once information is digitized, there's basically no technical way to prevent it from being copied widely. merely displaying it on a screen involves usually several copying operations, technically. but what you can easily do is accumulate more information, including about when, why, and by whom any copies were made.

since the reason we want to restrict copying and dissemination of personal information is legal and social, it's appropriate that the major security measures should be legal and social also. strict oversight and accountability seems to me the best approach, and i'm happy to hear it appears to be in place.

that said, it's worth keeping in mind that the user interface to any large computerized system is seldom the only way to get at the underlying data. there's an old definition of a systems administrator: "the only employee who gets more access to corporate data than the CEO, even though they may be paid less than a unionized janitor". in my day job i frequently work directly on back-end DBMSes manually, completely bypassing the entire application level with any and all logging and tracking it might have...

By Nomen Nescio (not verified) on 17 Oct 2007 #permalink