My guess is that basically everyone is aware, on at least some level, that George Clooney was involved in a motorcycle accident (if not, the CNN story is here). Normally, this is something that would hold no interest for me, and it certainly wouldn't be worth putting in a blog about information security and data privacy. In this case though, there's a twist...it seems that this "news" was broken by personnel at the hospital where Clooney was treated after the crash, with nontreating employees accessing Clooney's medical records and passing them, along with other information like Clooney's girlfriend's phone number to the press (details here). Such a leak is a clear violation of the HIPAA privacy rules (available here, which as a general rule, require consent for the disclosure of personally identifiable health information. 45 C.F.R. 164.508(a)(1) ("Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section."). Of course, it is possible to de-identify information in compliance with HIPAA. However, there is no chance that the information provided about Clooney could be considered properly de-identified.
So what are the consequences of such a blatant violation? So far, 40 employees at the facility where Clooney was treated are under investigation, and more than two dozen have been suspended without pay. A representative from their union said that the punishment is too harsh, but I'm curious what she expected. Under HIPAA, a health care provider "must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart." 45 C.F.R. 164.530(e)(1). Translation: no matter how sorry the employees are, they are still subject to their employer's sanction policy, which the employer is required by law to enforce.
The take home message of all this? Don't disclose personally identifiable health information, especially not to the media. If you do, federal law requires that you be punished.