Jonathan Fanaroff MD, JD and Gilbert Martin, MD

The physical assault reported by “Empire” actor Jussie Smollett on January 29 made national and international headlines, especially after he was later charged with disorderly conduct in filing a false police report. A lesser reported story but one with important lessons for health care professionals was the firing of more than 50 hospital employees at Northwestern Memorial Hospital, where Smollett was treated after the assault, for improperly accessing Smollet’s electronic medical records in violation of the Health Insurance Portability and Accountability Act (HIPAA). 

HIPAA was passed in 1996 after Congress decided there was a need for federal standards to protect the privacy of individually identifiable health information. Rules and regulations supporting HIPAA are issued by the federal Department of Health and Human Services (HHS). These regulations, known as the ‘Privacy Rule,’ require that any health care provider that transmits health information in electronic form take steps to protect all “individually identifiable health information.” This information, known as “Protected Health Information” (PHI) includes any information allowing identification of an individual. This includes obvious information such as address, birthday, and social security number, but also less obvious information such as birth weight, hospital room number, or the date of a procedure. 

Entities that must follow HIPPA Regulations are called, “covered entities.” These covered entities include hospitals, medical offices, health plans, health insurance companies, HMOs, company health plans and government programs that pay for health care. 

Many health care professionals mistakenly believe that as long as they do not include the patient’s name they can publicly share information about their patients without violating HIPAA, and it has cost them their jobs. For example, an ER nurse in Michigan came home from a shift and posted to Facebook her displeasure at having treated a “cop killer” that day. Even though the posting did not include the patient’s name, they were readily identifiable due to ongoing media coverage, and the nurse was terminated. 

Physicians have also been prosecuted for HIPPA violations. Is the U.S. Department of Justice increasing their involvement for violations? Physicians need a wakeup call to understand that HIPPA is more than a privacy and security framework but also is involved with criminal liability. 

Hospitals do not tolerate HIPAA infractions for several reasons. First, patients appropriately want and expect their health care information to be private, and violations of that privacy can impact where they choose to receive care. Second, there is significant negative publicity associated with privacy violations. Finally, the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in 2009, sets out increased financial and criminal penalties for HIPAA violations, including years in prison and millions of dollars in fines. 

One fired Northwestern employee interviewed for the local CBS news (2CBSChicago – Dana Kozlov – March 7, 2019, at 5:30 pm) admitted to searching for the actor’s name but claims she never clicked on his file. “I had told them on several occasions that I did not enter the records and I didn’t understand how having those names on the screen is my entering the records,” she said. HIPAA rules are clear, however, that even the fact that an individual is receiving care is considered PHI. (1) 

It is interesting that one of the benefits of widespread use of electronic medical records (EMRs) is to increase communication between healthcare providers to improve our care of patients and their families. One of the unanticipated consequences was the presentation of personal information which can be easily accessed. We hear daily about these “horror stories” of identity theft. 

Every year when we need to update our compliance training, it always deals with facts and information regarding HIPPA. Moaning and groaning ensue. We would rather be seeing patients. Do you feel the same way? Rationalizations abound. 

Celebrities have the same right to privacy as anyone else. Additionally, the principle that patients should have an expectation of privacy is not new and did NOT start in 1996 with HIPAA. In fact, part of the Hippocratic oath, which is one of the oldest binding documents in history, states that ‘I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.” (2) 

References: 

1. Exclusive: Northwestern Hospital Employees Fired For .., https://chicago.cbslocal.com/2019/03/07/northwestern-employees-fired-jussie-smol (accessed April 09, 2019). 

2. Hu245 Unit 3 Discussion – Unit 3 Discussion Confidentiality.., https://www.coursehero.com/file/15426350/HU245-Unit-3-Discussion/ (accessed April 09, 2019). 

The authors have no conflicts of interests to disclose.