Some 27 workers at a New Jersey hospital were suspended Wednesday after reportedly taking a peek at George Clooney's confidential medical records while the actor was being treated there following a motorcycle accident.
None of the employees, each suspended for four weeks, were doctors treating Clooney, administrators said, raising a host of questions about who can view private medical information and what measures are in place to protect patients' privacy.
Clooney was taken to Palisades Medical Center in North Bergen, N.J. Sept. 21 after he and passenger Sarah Larson were injured when the motorcycle he was driving collided with a car. Clooney broke a rib and Larson broke her foot.
Hospital administrators said the confidentiality breach was discovered after a routine audit.
"We conduct audits on a regular basis to make sure our systems are protecting individuals' rights," Eurice Rojas, the hospital's vice president of external affairs, told The Associated Press. "We conducted an audit immediately with respect to this situation and that resulted in [the investigation]."
Since 1996, when confidential medical information started getting stored on computer systems, insurance companies and hospitals have been required by federal law to maintain the privacy of health records.
"Privacy rules and the need for privacy exist to encourage individuals to seek medical care and be open and honest about their symptoms and concerns. Only through that open exchange can people get proper care," said Susan McAndrews, deputy director of health-information privacy at the Department of Health and Human Service's Office of Civil Rights.
Under the Health Insurance Portability and Accountability Act, or HIPAA, the department is charged with ensuring that insurance companies and health care providers don't violate the law by allowing unauthorized employees to gain access to patient records.
McAndrews said an employee's ability to get access to information about an individual patient depends largely on how closely the employee is involved in that person's treatment.
"Who should be able to look at personal information depends largely on their role. A nurse on duty has a greater need than, say, a candy-striper delivering flowers or a dietitian in the cafeteria making lunch trays. … Workers cannot just look up an individual's file out of curiosity. … Each facility has processes to keep information within certain boundaries. Information just can't flow freely," McAndrews said.
By law, all workers who can potentially obtain access to sensitive information must be trained to understand their responsibilities, McAndrews said.
If the government finds that workers have violated a patient's privacy it can impose monetary civil penalties or refer the case to the Department of Justice to take criminal action.
The Justice Department has taken three such cases to court since 2003. Some 30,000 complaints of HIPAA violations have been filed with Health and Human Services since 2003.
"Two out of three of those complaints are not eligible to be investigated," McAndrews said. "In 5,000 cases, we've obtained good corrective action and forced facilities to comply with the privacy rule."
Clooney, a staunch privacy advocate, surprised many when he said the workers should not have been suspended.
"And while I very much believe in a patient's right to privacy," he said in a statement released to the media, "I would hope that this could be settled without suspending medical workers."
Privacy-rights advocates, however, point to Clooney's case as an example of the limits of the current system in protecting patients' privacy.
"Can you protect yourself against this kind of violation?" asked Barry Steinhardt, director of the American Civil Liberties Union Technology and Liberty Program. "No you cannot. There is no question these people simply violated HIPAA and their own internal guidelines. They just broke the law. What was Clooney supposed to do, not go to the hospital?"