The trusted source for
healthcare information and
Clooney case shows need for training
The privacy breach with George Clooney's medical records indicates the staff of Palisades Medical Center in North Bergen, NJ, did not truly understand the Health Insurance Portability and Accountability Act (HIPAA), says Don Thomas, CEO of SoftLight Development, a health care consulting firm in Dallas, and a certified HIPAA security consultant.
"HIPAA is quite clear on this type of breach of privacy. Section 1177 clearly identifies this action as a violation with a possible fine of up to $50,000 or one year in prison or both," he says. "If it was one or two accessing the records, it may have been more malicious in nature, but this many people involved shows a clear sign that they did not understand HIPAA and the ramifications of it."
Thomas cautions risk managers not to focus on the fact that the patient was a celebrity. This case is not about how to protect a celebrity's privacy but rather it reveals how all patient records can be compromised, he says. "The real problem is this type of action occurs on a regular basis to the average American and that it is only noticed when a celebrity is involved," he says. "You heard about it, and the leadership at Palisades heard about it because Clooney is a celebrity. But this kind of problem occurs all the time without it making the news."
Hospital's system broke down
The incident signaled a major failure of the hospital's records privacy system, says James Stewart, JD, a partner with the law firm of Stewart Stimmel in Dallas.
"This was a system breakdown; and whenever there is a system breakdown, an analysis needs to be performed to find where it failed and then put in additional safeguards to prevent the failure in the future," he says. "In this instance, someone had control over those records and failed to properly exercise that control. When the first person asked to see them, the person in control should have reacted accordingly."
The fact that the patient was a celebrity only escalated the interest in the records, Stewart says. It should not have changed the way the records were protected, he says. The law protects everyone's records equally, and if the law is followed, then nothing special needs to be done for celebrities, Stewart says. "I fully expect that this hospital has appropriate policies for the protection of confidential health care information, and if it is a Joint Commission-accredited hospital, then I am certain it has policies that should work," he says. "You just have to enforce the policies equally across the board."
And that's where things fell apart, says Barry Gerald Sands, JD, a defense lawyer in Los Angeles. He says a key lesson from the Clooney incident is that even the best policies and procedures don't work if employees just choose not to follow them one day.
"The lesson learned is vigilance along with a stated, very public enforcement policy should be in place," he says. "Another lesson learned is no matter how many employees attend ongoing HIPAA lectures and seminars, management must continue reminding workers that the privacy rights of patients is always on the mind of personnel as a priority."
For more information on privacy laws and the records breach, contact: