Wednesday, October 10, 2007

Viewing George Clooney's Medical Records - Was It Worth Being Suspended For It?

For those of you unaware, George Clooney and his girlfriend, Sarah Larson, were involved in a motorcycle accident last month, on 9/21/07.

But, you probably haven't heard that 27 employees at the hospital where he was treated were just suspended for a month without pay for viewing his PHI (Protected Health Information) - here's the story on CNN...

Check out this quote from the article... More than two dozen employees at Palisades Medical Center have been suspended after accessing the personal medical records of actor George Clooney, who was taken to the North Bergen, N.J., hospital last month after a motorcycle accident.

Hospital spokesman Eurice Rojas said late Tuesday that 27 employees were suspended for a month without pay, after an internal investigation. Accessing a person's medical records without authorization is a violation of the Health Insurance Portability and Accountability Act (HIPAA) -- a federal law that protects the privacy of patients.

So, what is your take on the punishment - a month off without pay? Does the punishment fit the crime? Even George Clooney, the victim, doesn't think these workers should be suspended for it...

My take? I don't think the punishment fits the crime. If the same 27 employees were found to have viewed my PHI then at the most they would have received a "verbal warning" for the file - but add George Clooney to the mix and the celebrity hype that comes with it, all bets are off and the punishment is taken to the extreme.

Anyone else out there with a take on this?


Anonymous said...

I am particularly interested in this story as a director of the electronic medical record we use in the physicians group I work for, so...please bear with me...

When implementing our EMR, we modeled our security measures after the one the hospital many of our physicians are associated with developed, which basically adds up to a zero tolerance policy. One of the advantages of an EMR is that you can track any information users access, as I presume is the case here, and the general rule of thumb is that there are two reasons, and two reasons only why ANYONE should be looking in a patient's chart--whether it be George Clooney or Joe Schmoe:

1). You are directly involved in the patient's care (physicians and clinical staff).

2). You have to access information contained in the record in order to be able to do your job (support staff). End of story.

In my clinic, if you can't satisfy either of the above rules when looing in a patient's chart, you're outta there. Forget verbal warnings, forget suspensions without pay. For instance, one of the physicians I worked for had a relationship with the Nike Corporation and therefore saw a number of high profile, household name famous athletes. I was made privy to the fact they were patients because it was my job to purge old information, which theirs was. Today, even though it's been well over 10 years (the legal statute of limitations in most states regarding medical records) since these patients were seen, I STILL can't tell you who they would be a violation of their confidentiality. Another example is that I got to check a very well known author in at the front desk for an appointment, and I couldn't even go home and tell my mother, who I tell everything to, that they were even there.
This author is dead now, and I know why, but I can't tell anyone that,either. ;) The same would be true for a patient who happens to live across the street from my mom, as well.
The reason for this hard tack is that before the HIPAA regulations were enacted, only certain medical information was considered "Protected Health Information"--i.e. AIDS, mental health or drug and alcohol related--and you could get into BIG trouble for accessing or releasing that sort of information to the wrong party. The point and purpose of the HIPAA regulations is to, in addition to addressing the possible security breaches inherent in a computer-oriented information age, make ALL medical information protected, whether it be bi-polar disorder, or, say...a fractured rib.

While it's nice that Mr. Clooney is defending the suspended medical workers at the hospital where he was treated--he understands why they did it; after all, he IS George Clooney--considering that any proven breach of HIPAA regs is punishable by up to $18,000 dollars in fines (which the HOSPITAL would pay--sorry, you can't get blood out of a turnip, and if there's more than two dozen people guilty of such violations, well, you do the math) and/or 10 years in federal PRISON (time said turnips would do), and that this story has become national news, which the Department of Human Services could take and run with like young boys in a field if they wanted to, I would say the punishment is actually pretty lenient. These folks are lucky they still have jobs at all.

Anonymous said...

anyone concerned about their own health privacy should go to