13 hospital workers fired for snooping in Britney Spears' medical records

Oops, they did it again — second breach of singer's privacy

A health provider in Los Angeles that frequently treats celebrities announced recently that it had failed to protect the privacy of singer Britney Spears, and it wasn't the first time. Some risk management experts suggest that the repeated privacy breaches and the wide scale of the snooping suggests a bigger problem at the hospital system.

The University of California, Los Angeles (UCLA) Medical Center, where singer Britney Spears was hospitalized in early 2008 for psychiatric care, is firing 13 employees and suspending six physicians for looking at her medical records without a valid reason. The story was first reported in the Los Angeles Times, and then the hospital confirmed the disciplinary action.

The breach occurred even after Carole A. Klove, chief compliance and privacy officer for UCLA Medical Sciences, sent a memo to all staff reminding employees that the Health Insurance Portability and Accountability Act (HIPAA) prohibits accessing medical records without a valid reason.

This was the second breach in the UCLA system involving Spears. The Los Angeles Times reports that staff at another UCLA hospital were caught peeking at Spears' records when the singer gave birth to her first son in September 2005 at Santa Monica — UCLA Medical Center and Orthopaedic Hospital.1 After the most recent breach, the newspaper quoted Jeri Simpson, the Santa Monica hospital's director of human resources who disciplined staff after the first instance, as saying, "It's not only surprising, it's very frustrating and it's very disappointing."

The 13 employees disciplined in the most recent breach include medical and nonmedical employees, the newspaper reports. Unlike a recent privacy breach involving actor George Clooney, there is no suggestion that any UCLA employee leaked information to the media. After the hospital publicly confirmed the privacy breach, the state Department of Public Health announced that it had opened an investigation of the hospital. There is no word yet on whether it will investigate this latest intrusion.

UCLA Health System issued a statement saying it considers patient confidentiality "a critical part of our mission of teaching, research, and patient care. All staff members are required to sign confidentiality agreements as a condition of their employment and complete extensive training on HIPAA-related privacy and security issues. We have stringent policies to protect patient confidentiality and address violations of those policies." A hospital spokesman declined to comment further, citing confidentiality concerns.

Breach could signal bigger problem

The privacy breach causes concern for those who deal with HIPAA security every day, professionals such as Susan J. Elliott, JD, MEd, a former emergency services psychiatric clinician and currently an attorney with O'Melveny & Myers in New York City. The repeated breaches of Spears' privacy within the same health system are a red flag that something is wrong with employees' understanding of HIPAA, Elliott says.

"As both a former clinician and an attorney, I find this appalling," she says.

Hospital risk managers must safeguard the records of all patients, but especially patients whose records could be "sold at auction" to the media, Elliott says. Most health systems probably have no special system in place to safeguard high-profile patients, because risk managers subscribe to the theory that all patients deserve equal protection under HIPAA, she says. While that is technically true, the Spears breaches show that some patient records are far more desirable and much more likely to be accessed improperly, Elliott says.

HIPAA calls for civil fines up to $25,000 per violation to be paid by the employer, and criminal fines up to $250,000 to be paid by the employer and/or the individual. Some cases also can result in imprisonment up to one year for a standard violation and imprisonment for up to five years for a violation committed under false pretenses.

Teresa Mosher Beluris, JD, an attorney at the law firm of McDermott Will in Los Angeles, points out that electronic health records increase the risk that a patient's information will not just be viewed by an unauthorized employee but spread to others. "The same mandates that require hospitals to store patients' files electronically in order to facilitate patient care also enable any person entitled to access a file to post it on MySpace in an instant," she says. Hospitals already have limited access to essential personnel, but that group is necessarily large, she says. "Would Pentagon-level technology limit the risk? Perhaps," Beluris says. "However, no hospital I know has a Pentagon-sized budget."

Health care providers should be able to demonstrate that they took all reasonable steps to limit access by prohibiting the sharing of passwords, educating personnel on confidentiality obligations and security precautions, periodically auditing electronic file access, and utilizing security cameras in areas where electronic file access is most likely to be abused, she says. Continued high-profile violations could result in more HIPAA cases going to trial, Beluris says.

Another possible safeguard is flagging a celebrity's record for special restrictions, such as requiring a special password known only to a select few caregivers or having one senior employee be the gatekeeper to the records. Some of those restrictions will not be practical when many clinicians need access, Beluris notes.

Advance planning can help

The natural curiosity of hospital employees can be compounded by financial inducements offered to them by unscrupulous journalists seeking inside information on the case, says Leonard Nelson, JD, a professor at the Cumberland School of Law at Samford University in Birmingham, AL.

In some institutions where such an event is particularly likely to occur, there should be advance planning for the admission of celebrities, he notes. "For example, a special team should already be in place and ready to handle the public relations aspects of this sort of admission," he says. That team should include experts on maintaining the integrity and privacy of the actual records, regardless of whether they are digital or hard copy. "Computer security experts may have to be retained to prepare for this type of event, and of course they should be bonded and hired only from reputable firms," Nelson says.

Nelson also recommends old-fashioned precautions such as moving the celebrity's hard-copy records to a special room, carefully controlling distribution of keys, and posting of additional security guards. "All employees should be explicitly reminded of their duties in regard to preserving patient confidentiality and the sanctions imposed for even minor breaches," he says. "This includes cautions to avoid lunch table, elevator, and restroom conversations concerning the care of the celebrity."

Reference

1. Ornstein C. UCLA workers snooped in Spears' medical records. Los Angeles Times. March 15, 2008. Accessed at: www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story.