Clooney case shows need for training
Clooney case shows need for training
The privacy breach with George Clooney's medical records indicates the staff of Palisades Medical Center in North Bergen, NJ, did not truly understand the Health Insurance Portability and Accountability Act (HIPAA), says Don Thomas, CEO of SoftLight Development, a health care consulting firm in Dallas, and a certified HIPAA security consultant.
"HIPAA is quite clear on this type of breach of privacy. Section 1177 clearly identifies this action as a violation with a possible fine of up to $50,000 or one year in prison or both," he says. "If it was one or two accessing the records, it may have been more malicious in nature, but this many people involved shows a clear sign that they did not understand HIPAA and the ramifications of it."
Thomas cautions risk managers not to focus on the fact that the patient was a celebrity. This case is not about how to protect a celebrity's privacy but rather it reveals how all patient records can be compromised, he says. "The real problem is this type of action occurs on a regular basis to the average American and that it is only noticed when a celebrity is involved," he says. "You heard about it, and the leadership at Palisades heard about it because Clooney is a celebrity. But this kind of problem occurs all the time without it making the news."
Hospital's system broke down
The incident signaled a major failure of the hospital's records privacy system, says James Stewart, JD, a partner with the law firm of Stewart Stimmel in Dallas.
"This was a system breakdown; and whenever there is a system breakdown, an analysis needs to be performed to find where it failed and then put in additional safeguards to prevent the failure in the future," he says. "In this instance, someone had control over those records and failed to properly exercise that control. When the first person asked to see them, the person in control should have reacted accordingly."
The fact that the patient was a celebrity only escalated the interest in the records, Stewart says. It should not have changed the way the records were protected, he says. The law protects everyone's records equally, and if the law is followed, then nothing special needs to be done for celebrities, Stewart says. "I fully expect that this hospital has appropriate policies for the protection of confidential health care information, and if it is a Joint Commission-accredited hospital, then I am certain it has policies that should work," he says. "You just have to enforce the policies equally across the board."
And that's where things fell apart, says Barry Gerald Sands, JD, a defense lawyer in Los Angeles. He says a key lesson from the Clooney incident is that even the best policies and procedures don't work if employees just choose not to follow them one day.
"The lesson learned is vigilance along with a stated, very public enforcement policy should be in place," he says. "Another lesson learned is no matter how many employees attend ongoing HIPAA lectures and seminars, management must continue reminding workers that the privacy rights of patients is always on the mind of personnel as a priority."
Ensuring the policy is implemented is critical to its success, as evidenced by the failure of so many employees to honor federal law in this area, Sands says. He says the scale of the privacy breach, with at least 27 employees casually violating HIPAA, suggests that the hospital's medical records privacy policy had been "extremely lax" prior to the incident, he says. "There had to have been a problem if 27 people felt comfortable to grossly breach HIPAA regulations," he says. "There were problems at intake and at a supervisory level, but perhaps more important was that 27 people seemingly routinely violated HIPAA regulations. How could a hospital claim HIPAA credibility and experience that kind of failure rate?"
Sources
For more information on privacy laws and the records breach, contact:
- James Stewart, JD, Stewart Stimmel, 1701 N. Market St., Suite 318, L.B. 18, Dallas, TX 75202. Phone: (214) 615-2012.
- Don Thomas, CEO, SoftLight Development, SoftLight Development, 1431 Greenway Drive, Suite 600, Irving, TX 75038. Phone: (972) 353-3800.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.