Ephemerallaw: George Clooney and an Object Lesson on HIPAA

Saturday, October 13, 2007

George Clooney and an Object Lesson on HIPAA

My guess is that basically everyone is aware, on at least some level, that George Clooney was involved in a motorcycle accident (if not, the CNN story is here). Normally, this is something that would hold no interest for me, and it certainly wouldn't be worth putting in a blog about information security and data privacy. In this case though, there's a twist...it seems that this "news" was broken by personnel at the hospital where Clooney was treated after the crash, with nontreating employees accessing Clooney's medical records and passing them, along with other information like Clooney's girlfriend's phone number to the press (details here). Such a leak is a clear violation of the HIPAA privacy rules (available here, which as a general rule, require consent for the disclosure of personally identifiable health information. 45 C.F.R. 164.508(a)(1) ("Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section."). Of course, it is possible to de-identify information in compliance with HIPAA. However, there is no chance that the information provided about Clooney could be considered properly de-identified.

So what are the consequences of such a blatant violation? So far, 40 employees at the facility where Clooney was treated are under investigation, and more than two dozen have been suspended without pay. A representative from their union said that the punishment is too harsh, but I'm curious what she expected. Under HIPAA, a health care provider "must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart." 45 C.F.R. 164.530(e)(1). Translation: no matter how sorry the employees are, they are still subject to their employer's sanction policy, which the employer is required by law to enforce.

The take home message of all this? Don't disclose personally identifiable health information, especially not to the media. If you do, federal law requires that you be punished.

1 comment:

Anonymous said...: It's a violation. They have to suffer those consequences. It's unappropriate and unprofessional to leak infos. to media.

Clooney is a nice person. See more of him on George Clooney bio.; April 2, 2008 at 11:57 AM

Post a Comment

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors. NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.

Ephemerallaw

Saturday, October 13, 2007

George Clooney and an Object Lesson on HIPAA

1 comment:

Useful Resources

Blog Archive

Contributors

Other Sites

Privacy Statement

Disclaimer