George Clooney's medical records prove irresistible to prying eyes

Privacy lapse shows common weaknesses in security, training

Ensuring the privacy of patients and the security of their medical records is fairly well accepted by staff, and most will not hesitate to pledge their commitment to keeping medical records private. But what happens when one of the world's biggest movie stars shows up at your hospital for a minor emergency, with no opportunity to plan VIP treatment and added security?

Actor George Clooney's recent treatment at Palisades Medical Center in North Bergen, NJ, apparently caused a serious breakdown of some of the most fundamental measures in place to protect patient medical records. After an internal investigation of the actions of as many as 40 employees, the hospital suspended 27 employees for a month without pay for violating the Health Insurance Portability and Accountability Act (HIPAA). Depending on the final determination of what happened and how, the hospital and the individuals involved could face potential fines of up $250,000 and 10 years in prison for violating HIPAA.

Many legal and privacy experts point out that the Clooney case is only a sensational example of a problem that happens all the time in health care. The celebrity status made the staff more interested in the patient, so there were dozens of people violating his privacy instead of just one staff member who wants to know about a neighbor or family friend, says Scott A. Edelstein, JD, an attorney with Squire Sanders in Washington, DC.

"These types of incidents happen all too frequently and go largely unreported unless a celebrity is involved," he says. "This should serve as a wake-up call to all health care providers to review their HIPAA compliance efforts."

Noncelebrities are the target of similar breaches all the time, says Maurice A. Ramirez, DO, BCEM, CNS, CMRO, an emergency physician at Pasco Regional Medical Center and president of the risk management consulting firm High Alert, both in Kissimmee, FL. "The illusion that medical records are secure or private is only punctuated by the disclosure that 27 hospital employees indulged their voyeuristic habits by thumbing through George Clooney's chart," he says. "Every medical professional knows a colleague who regularly checks the chart of a friend or neighbor. The motive may be a desire to 'check-up' on care, a genuine if misguided concern, or just nosiness. Regardless of motive, the practice is rampant and wrong."

Celebrities pose bigger challenge

Celebrity patients pose a special challenge for privacy policies and procedures that might be entirely sufficient for everyday patients, says Reece Hirsch, JD, a partner at the law firm Sonnenschein Nath in San Francisco.

"In a struggle between human curiosity and compliance with hospital privacy policies and procedures, curiosity often wins," he says. "A hospital's privacy compliance program is never tested more than when a celebrity or other public figure is a patient."

Hirsch suggests that risk managers have a system in place that ramps up privacy policies and procedures when a celebrity patient is treated. When a celebrity enters a hospital, the hospital's risk manager, privacy officer, and compliance staff should be aware that additional safeguards may be necessary, such as monitoring media access within the facility, controlling public statements, and sharply restricting access to the celebrity's medical record — possibly by requiring that all requests for access to those records go through one person or by requiring a special password to access computerized records.

But if the patient shows up unannounced, as Clooney did, then you have to rely on staff knowing that HIPAA applies even if they are insanely curious about their favorite movie star. An electronic records system also can maintain audit logs that show exactly who accessed the records and when. Those logs can help track down unauthorized users later on and could have been key to Palisades' investigation. "Hospitals must impose real sanctions upon employees that violate privacy policies and procedures and send a clear message that protecting the privacy of patients is a priority," Hirsch says. "They should know that you will punish infractions harshly and that you will be able to track them down."

More training needed for staff

The Clooney case demonstrates that the best preventive measures include periodic training for all doctors, staff, and employees to ensure that they understand not only the HIPAA privacy rule and related patient confidentiality laws, but also the purpose and intent of those laws, says Thomas Taylor, JD, a health law attorney with the law firm of Johns Flaherty in La Crosse, WI. Taylor has worked with several health care providers and risk managers on medical privacy issues.

"More importantly, doctors, staff, and employees need to understand that their ability to provide optimal patient care can be compromised if patients are unwilling or unable to trust them with highly sensitive medical records and information that could have a stigma if publicly disclosed," he says.

Ramirez says health care employees must understand that peeking at someone's chart without proper authorization is a major violation that will be met with swift punishment. In that respect, he says, Palisades appears to have sent the right message after the violations were discovered. But with the proper staff training and a culture that respects the patient's privacy, staff should realize on their own that reading a patient's chart is wrong.

Securing records from prying eyes is impossible, he says. "The only solution is to re-establish the relationships of mutual respect between health care institutions and their professionals, as well as between patients and providers, so that it is unbearably uncomfortable to unethically invade any patient's privacy."

Clooney not suing, but he could

A patient may be entitled to bring a lawsuit against a hospital alleging an invasion of privacy under applicable state law, Hirsch notes. However, HIPAA does not provide for a private right of action that would permit a patient to sue a hospital for a HIPAA violation. When these sorts of incidents occur, a patient can file a complaint with the Office for Civil Rights in the Department of Health and Human Services, which may choose to conduct an investigation and perhaps impose sanctions if it determines that a violation has occurred, he says.

A patient complaint is not necessary for a HIPAA violation to be found and for sanctions to be imposed, Hirsch explains. Taylor notes that doctors, health care organizations, health insurers, and staff who knowingly obtain or disclose protected health information in violation of HIPAA face a potential fine of $50,000 and one year in prison. People who misuse private medical information under false pretenses face fines of up to $100,000 and up to five years in prison, and people who misuse information with the intent to sell, transfer, or use for commercial gain or malicious harm face fines of up to $250,000 and up to 10 years in prison. Those most severe penalties could apply if authorities determine that any hospital employees sold protected health information about Clooney to the media, Taylor says. In addition to that, there is a growing body of case law across the United States allowing individual patients to pursue civil lawsuits and recover damages from health care organizations and staff who breach patient confidentiality, Taylor says.

Though Clooney has not indicated publicly that he would sue for invasion of privacy, says Barry Gerald Sands, JD, a defense lawyer in Los Angeles whose practice encompasses substance abuse and attendant patient confidentiality issues, sometimes including celebrity patients. He says a civil suit is quite possible after such an incident. "Had anyone taken pictures and sold them for profit, the risk would be higher. Had it been anyone other than the good-natured Mr. Clooney, one might have already been filed by now," Sands says. "Keep in mind that whenever a celebrity is involved, people seem to go a little crazy. Nevertheless, risk managers must emphasize that one picture, one record release is not worth a career."

Sources

For more information on privacy breach, contact:

  • Scott A. Edelstein, JD, Squire, Sanders & Dempsey, 1201 Pennsylvania Ave. N.W., Suite 500, Washington, DC 20044-0407. Phone: (202) 626-6600.
  • Reece Hirsch, JD, Sonnenschein, Nath & Rosenthal, 525 Market St., 26th Floor, San Francisco, CA 94105-2708. Telephone: (415) 882-5000. E-mail: Rhirsch@sonnenschein.com.
  • Maurice A. Ramirez, DO, BCEM, CNS, CMRO, 1200 Providence Blvd., Kissimmee, FL 34744-5151. Telephone: (407) 301-3458. E-mail: Renaissancedoc@earthlink.net.
  • Barry Gerald Sands, JD, 10100 Santa Monica Blvd., Suite 300, Los Angeles, CA 90067. Phone: (310) 201-0909. E-mail: bsandslaw@aol.com.
  • Thomas Taylor, JD, Johns, Flaherty & Collins, 205 Fifth Ave. S., Suite 600, P.O. Box 1626, La Crosse, WI 54602-1626. Phone: (608) 784-5678.