George Clooney and HIPAA

A recent entertainment news story involving celebrity medical records is an example of the problems associated with employee activities and reminds us of the need for continuous vigilance in protecting sensitive medical data. This story highlights that it is a good time for additional training of workforce members on these issues.

Following a motorcycle accident involving George Clooney and his girlfriend, they were seen at the Palisades Medical Center in New Jersey for their injuries. More than two dozen employees were suspended for a month, without pay, for allegedly accessing Clooney’s confidential medical records. A union representing seven of the suspended nurses said that the employees, although they looked at Clooney’s records, did not divulge any confidential information.

The interesting thing about this case is that it shows the tight link between the HIPAA Privacy and Security Rules. Due to the number of employees who allegedly, inappropriately accessed his records, it is likely that it was done by looking at electronic information—a security breach by “inside employees.” Fortunately, it appears that the hospital’s audit practices, which are required under the Security Rule, caught the breach. Unfortunately, it appears that the staff was not trained well enough to keep from inappropriately accessing the information in the first place, and apparently were not aware they could be caught and disciplined.

The case also illustrates some of the differences between privacy risks posed by paper versus electronic records. Electronic records can lead to a breach of a patient’s privacy without even having physical access to the health records. And, after a patient’s privacy is breached electronically, it can never be recovered.

Punitive Damages for Breaches of Medical Privacy

A case out of New York also serves as a cautionary tale with regard to the monetary damages that may be awarded for breaches of medical privacy.

In J. v. Long Island Surgi-Center (N.Y.A.D. 2nd Dept., September 25, 2007), a 20 year-old, unmarried woman who lived with her parents decided to terminate her pregnancy at the Long Island Surgi-Center. Since her parents disapproved of pre-marital sex and were implacably opposed to abortion, she was determined to keep her decision from them.

When she first contacted the clinic to arrange for the procedure, she provided her cell phone number and gave specific instructions never to call her at home. The day after her abortion, nevertheless, one of the clinic’s nurses telephoned the young woman’s home and spoke with the person she knew to be her mother. In the course of the conversation, the nurse revealed information sufficient to allow the mother to conclude that her daughter had had an abortion.

On appeal, the Court of Appeals held that, in the young woman’s subsequent action to recover damages for wrongful disclosure of confidential medical information under New York’s Public Health Law, the trial court was “not in error” to submit the issue of punitive damages to the jury.

View PDF