Hospital employees suspended for snooping on injured actor

George Clooney learned a few basics about treating accident victims while playing a physician on "ER." Then he got a crash course in HIPAA when he became an accident victim in real life.

Employees of the Palisades Medical Center in North Bergen, N.J., were suspended for a month without pay when the hospital discovered they had violated Clooney's privacy during his stay there. The star was treated at Palisades after his motorcycle collided with another vehicle on Sept. 21.

The hospital did not respond to repeated requests from AMNews for information on the suspensions. But reports indicated that Palisades investigated nearly 40 employees who were suspected of violating Clooney's privacy in ways that include snooping at his electronic medical files, peeking inside his room, and leaking information, including Clooney's emergency contact information, to the media.

Jeanne Otersen, director of Health Professionals and Allied Employees, which represents 700 Palisades employees, confirmed that 27 were suspended, seven of whom were union-represented nurses and clinical technicians.

Clooney, who had a broken rib, scrapes and bruises, said he did not know about the privacy breaches until he was contacted for comment when news broke of the suspensions.

"And while I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers," said Clooney in a statement released by his publicist.

Health care attorneys said regardless of how forgiving the star might be, the hospital took the right course of action.

Helen Oscislawski, a health care attorney with Fox Rothschild's Princeton, N.J., office, said the Health Insurance Portability and Accountability Act doesn't spell out specific actions a hospital must take when violations occur, only that appropriate sanctions be imposed. She said that by suspending the employees, the hospital sent the right message about its lack of tolerance for HIPAA violations.

In New Jersey, state law prohibits hospitals from releasing patient information to anyone outside the hospital without the patient's authorization, with some exceptions.

Linda Nasta, a spokeswoman for the New Jersey Dept. of Health and Senior Services, which monitors compliance with the state's privacy laws, said that Palisades had notified the department of the Clooney incident and that the matter had been handled internally. No complaints were filed, Nasta said.

Clooney said he did not hear of the breach until receiving media calls about it, but there is no indication whether the hospital had tried to contact him. In most states, a person who is a victim of an information breach must be contacted individually by the organization responsible.

Otersen said she was told by hospital officials that none of the snooping employees passed protected information to anyone outside the hospital, including the media.

The union is continuing to investigate the incident, she said, and will look at security measures the hospital has in place that would make such a breach possible.

While most cases of HIPAA and patient privacy violations do not involve celebrities, they do involve snooping, said privacy experts. Last month Ivinson Memorial Hospital in Laramie, Wyo., fired one employee and suspended two others when the hospital determined they had snooped at files they weren't authorized to see.

Other employees later admitted to having looked at their own files, which is also a violation of the law, attorneys said. Like any other patient, an employee must follow a practice's or hospital's usual protocol to see his or her own record, they said.

Most common is employees looking at the files of friends, family or co-workers. Otersen said hospitals aren't doing enough to train employees on the specifics of HIPAA, and many likely do not know that what they are doing is wrong.

"We're seeing pretty haphazard policies, with sharp and strong discipline, without proper training," she said.

Oscislawski, who agreed that training is key to prevention, said that regardless of how benign the incident, or how forgiving the victim may be, hospitals need to implement a zero-tolerance policy and stick to it.