HIPAA Compliance Strategies

Featured Health Business Daily Story November 19, 2007

Alleged Breach of George Clooney's Health Information Leads to Suspension of 27 Staffers at N.J. Medical Center

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

When a famous Hollywood actor is suddenly admitted to your hospital, some employees will likely be tempted to take a peek at the heartthrob's medical records. But when the hospital in question later suspends more than two dozen employees without pay for allegedly violating privacy rules, those involved are bound to question whether the "punishment fits the crime," and to what extent the hospital could have better protected its celebrity patient.

The breach that sent tongues wagging among celebrity newshounds and privacy officers alike started on Sept. 21, when actor George Clooney and his girlfriend, Sarah Larson, rolled through the doors of Palisades Medical Center in North Bergen, N.J. The couple, which had been involved in a motorcycle accident in Weehawken, N.J., was treated and released the same day — Clooney with a cracked rib, Larson with a broken foot.

The story could have ended there. But in early October, newspapers, Web sites and TVs worldwide revealed that Palisades was investigating 40 staff members and had suspended 27 of them for a month without pay for allegedly accessing Clooney's protected health information (PHI) without authorization, a violation of HIPAA.

"Our commitment is to always conduct our behavior [using] the highest possible standards, and any conduct that violates the trust of our patients and the highest standards we set is taken very seriously and treated in a very serious manner," Palisades said in an Oct. 10 prepared statement that appeared in media reports. The hospital also noted that its investigation had found no evidence so far of any staffers leaking confidential information about Clooney to the media.

While nobody, including Clooney himself, denies the importance of patient privacy, some involved in the Palisades incident contend the punishment went too far.

Clooney issued a statement in reaction to the suspensions. "While I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers," he said. Clooney's publicist also told The Los Angeles Times that "perhaps suspending medical workers was a little harsh."

Heath Care Worker Union Calls for Probe

This point was echoed by a New Jersey union that represents some of the suspended workers. The Health Professionals and Allied Employees union contends the hospital rushed to judgment in its suspensions, and that some of the affected employees may, in fact, have been authorized to view Clooney's records.

"The question is whether or not HIPAA was violated, as well as what information was accessed and what was done with it," Ann Twomey, president of the union, tells RPP.

Some of the suspended employees claim they were simply checking to see if Clooney was actually a patient in the hospital, rather than looking at his medical records, she explains. "Just verifying that he is there - it may not be meaning that you are accessing any medical records," she says.

Twomey also is calling for an investigation into whether any of the suspended workers actually had a valid reason to access the record. "From what we know, one if not more had business looking at the chart," she says of the suspended union-represented employees. "They were conducting business at the time."

To be sure, Twomey says the union takes patient privacy as a very serious part of its charge. "HIPAA is not something we oppose. It's something we think should be enforced, but should be properly enforced." The question that hasn't been answered in this case, Twomey says, is the distinction between what is a true medical record and what is not?

Twomey also contends the hospital should have taken additional privacy precautions, given Clooney's celebrity status. "The individual is entitled to that, whether it is isolating the patient or moving them to a special area, making sure that they go by a different name or code, as opposed to their celebrity name."

A Palisades spokesman told the New Jersey business publication NJBIZ that the hospital's software used to store electronic patient data will alert an unauthorized person that he or she should not be in a given record. But the software will not stop someone from accessing the data because many employees are either direct patient caregivers or related to a patient's care, the spokesman said.

The hospital did not return calls seeking comment.

A CE's procedures, software, etc., for limiting PHI access need to assume that all PHI is very sensitive and must be well-protected. And to work properly, employee sanctions for violations must be applied consistently regardless of how sensitive the PHI is. To deter future violators, the ill-advised action must be punished in the same manner regardless of how damaging the PHI release turns out to be, experts say.

Celebrity Patients Test Privacy Rules

Hospitals should be aware from the get-go that their privacy practices are going to be tested when celebrities are admitted, says one privacy legal expert.

"Often it is a matter of privacy policies and procedures versus human curiosity. And often curiosity wins out," says Reece Hirsch, a partner in the San Francisco office of the law firm of Sonnenschein Nath & Rosenthal LLP. "It's often necessary to impose some additional measures, and maybe do some additional monitoring in those situations."

Hirsch tells RPP that there are some "very good" technology tools that allow hospitals to monitor and audit electronic medical records. "It is possible to see who's accessing the records and whether the appropriate people are reviewing them, with a great level of specificity," he says.

If the hospital isn't using electronic records, Hirsch continues, the organization can still impose special access restrictions, making sure that just the members of the treatment team are accessing the records, and imposing barriers that wouldn't be imposed otherwise. "Of course, you don't want to do anything that might compromise patient care," he adds.

But it may not always be clear as to who is actually on the treatment team, and is considered a direct caregiver. "It all comes down to whether you have a legitimate argument you can make," Hirsch says. "Particularly when it comes to paper records, there is an ability of different members of the hospital staff to access the records."

LA Hospital Has Tough Policies

Some hospitals, by their very location, regularly treat well-known patients. Good Samaritan Hospital in Los Angeles is one such facility. But it doesn't matter whether the patient is a movie star or a homeless person, unauthorized access of his or her PHI will result in swift disciplinary action, says Barry Mangels, chief compliance officer at Good Samaritan.

"In this hospital, that can result in an immediate warning or an immediate dismissal, especially depending on what they do with that information," he tells RPP. "Simple curiosity might result in a first and last warning on the issue. To talk with the media concerning that would be instant dismissal."

Mangels says the hospital regularly reinforces HIPAA privacy rules with its staff members. "We tell the employees right up front that if they're accessing medical records that they have no reason to access, we track that. Our IT department can find out who accessed those records."

When Good Samaritan does have a celebrity patient, that person usually is admitted under an assumed name, Mangels explains. "We actually ask the person themselves if they want their name on the record."

"Years ago when Madonna had her first baby here, she was here under an assumed name," he recalls. "Nothing got out to the press until she was released, but that was her press people. They called everybody to get the pictures of her being released from the hospital."

When a clear violation is established, the level of punishment will likely depend on one's employer. Hirsch says the industry is divided as to what are sufficient sanctions. He recalls asking some 300 privacy professionals at a conference whether they would terminate individuals who were caught improperly accessing PHI or just discipline the workers.

"About half of them said they would terminate individuals for that, about half said they would discipline them," he says. "It all depends on the circumstances."

Hirsch says he believes the punishment against the Palisades workers is about right. "Often there is a tendency for staff members to think this is an innocent activity, taking the look at the medical records of a celebrity," he explains. "And it's the duty of the hospital to make clear that privacy and security are serious business."

Clooney's urging that the workers not be suspended simply shows he's a "nice guy," says Hirsch. "But ultimately it's the hospital that has the legal obligation and the liability risk if there's an inappropriate disclosure."

Advertise With AIS

Privacy

Site Map