Last week, WCBS-TV in New York reported that as many as two dozen employees, including doctors and nurses, have been suspended for allegedly improperly accessing actor George Clooney's medical records. As the story goes, employees not involved with the actor's care logged into the hospital's computer system to view his records as doctors tended to his injuries, and that a security guard released a Clooney family member's telephone number. WCBS said that media seemed to have detailed information about Clooney's condition almost immediately and that as many as 40 hospital employees were under investigation for releasing information to the press, which is a violation of federal law.
Was the hospital's reaction too harsh? I personally do not think so.
Under HIPAA, there is no exception that would permit patients' protected health information (PHI) from being disclosed to the media without first obtaining a written authorization from the patient. Furthermore, hospital employees who have no need to access PHI about a patient should not be doing so. HIPAA specifically requires that covered entity providers (e.g., hospitals) have administrative, physical and technological safeguards in place that are aimed at preventing access of PHI by unauthorized individuals. In one New Jersey Supreme Court case where highly sensitive information about a patient (who also happened to be a hospital employee) was disclosed to employees throughout the hospital who where not involved in the patient's care, the Court found there that the hospital failed to have adequate policies and safeguards in place to prevent such intra-entity unauthorized dissemination of information.
There are a few lessons to take away from the Clooney incident (and many similar, but less-publicized, incidents). First, hospitals and other covered entity providers should have clear, written HIPAA policies in place to safeguard PHI from unauthorized access by employees. Second, employees must be trained on such polices, and reminded that sanctions may be applied if they fail to adhere to them. Finally, if a HIPAA safeguard policy is breached by an employee, then appropriate sanctions must be followed through on. These steps are essential to minimizing incidents like the Clooney case from occurring.