Wednesday, October 10, 2007

George Clooney & Patient Privacy Rights

This week, patient medical records and patient privacy received some unusual media attention because one of Hollywood's own, George Clooney, allegedly had his medical records violated by more than two dozen employees at the Palisades Medical Center in New Jersey who supposedly handed his medical records over to the media. Clooney visited the medical center when he and girlfriend, Sarah Larson, were treated for injuries sustained in a motorcycle accident recently. Those employees, incidentally, have been suspended without pay for a month. They were suspended because Clooney is a celebrity, but if the same thing happened to an average person, I suspect they wouldn't have even been reprimanded.

Unfortunately, medical privacy is a huge issue that has yet to receive the kind of public attention it deserves because most of your medical records remain on paper files that reside in your doctors' offices. That makes theft (of the sort that have become known only since a groundbreaking California law made public disclosure of data violations mandatory, see here for a listing) highly unlikely. But with legislators pushing electronic records as a way to streamline the billing process (in spite of having no evidence to show that cost savings will result), and companies like Microsoft pushing this issue, your medical records someday be floating around cyberspace and you'll have no right to stop it as you do with your credit bureau because there are no laws on the books protecting you.

Today, I received notice that at 3:00 EST (October 10, 2007), the Founder of the organization Patient Privacy Rights, Dr. Deborah Peel, M.D. will be on Star Jones Court TV to make 4 clear points:

1. HIPAA is a joke. It's not a "Privacy" Rule, it's a "Disclosure & Exposure" Rule

2. The violation made the news because the victim was George Clooney, but every day the average American's personal health information is being seen, sold and stolen by millions of individuals and businesses without your consent and over your objections.

3. Congress must pass legislation that ensures individual Americans, not insurers, employers, hospitals, banks or creditors , control all access to their own health records.

4. However, you can take the Patient Privacy Rights form to every doctor, hospital, lab or pharmacy to let them know that they cannot release your health information without your consent. But its impossible to impact Congress without massive public support for patient health privacy.

If you have the chance, try to catch the Star Jones show this afternoon. Even if you can't, do visit Patient Privacy Rights for more information on this important topic!


Shaman said...


Awareness needs to come from the patient. I had written about the impact of online medical information systems and privacy a few days ago on my blog -

There are a number of steps one can take with HIPAA, but it is so cumbersome that people give up and ask, "Why bother?".

Anne Findlay said...

Working in the medical field, I have to take exception to some of the points made by Dr. Peel, at least from my observations.

HIPAA is not a joke. Since it was implemented, security of medical records where I work has increased significantly, to the point where it sometimes if not often can even interfere with doctors who are trying to coordinate care of a patient. Yeah it is a disclosure/exposure rule which naturally leads to increased privacy, at least in many circumstances.

If the law were increased to restrict any communication of medical records without explicit consent of the patient, patients would suffer. Most patients don't realize what doctors do behind the scenes to coordinate their care. I am talking about things like surgery or other medical procedures, rather than a routine visit with the family doctor.

Also, regarding point 2: the average person is of no interest to the media. I would also be very skeptical of the rest of the claim as well. What proof of this is there?

That being said, I don't want my medical info out there as much as the next person, but then again, it's pretty much out there since I discuss having diabetes on my blog. If I were so concerned with pertinent medical info being public information, I would not publicize my most costly medical condition.

Just my 2 (or 3) cents.

Anne Findlay said...

Okay I have to say they got the reality of HIPAA right. From their website:

"Healthcare providers over-reacted and misread the rule. Hospitals quit labeling nursery cribs with names of newborns (or even closed curtains) for fear of violating the family's medical privacy. Drug store customers now wait in distant lines so pharmacists cannot be overheard describing side-effects to customers. Friends cannot send flowers to patient's rooms, pastors fear informing congregations about members in the hospital, and some doctors believe they can no longer communicate with other doctors caring for the same patient. Newspapers cannot name people who are injured or describe the state of their health."

I've definitely seen these sorts of thing happen. On the other hand, our computer systems have become much tighter with tight security due to HIPAA, for example. My experience is limited to my own department.

Scott S said...

Anne, thanks for your input. From my own perspective, I would say that we need not agree with all of Dr. Peel's perspectives to agree with the overall perspective that HIPAA provides relatively little protection to individuals and needs to be revised. As you note, it HAS increased the level of care given to medical records, but when we compare the level of control we as individuals have regarding our medical records to say, your personal credit report, not only do we not have the level of controls afforded with the Fair Credit Reporting Act (FCRA), but there is no way to even dispute a discrepancy if one should exist, nor is there a law outlining procedures for resolution.

HIPAA was implemented at the last minute because there was public outcry about the lack of privacy provisions, but the practical reality is that aside from the threat of a fine for violating HIPAA provisions, there have been a total of 3 fines imposed during 2007, in spite of over 250,000 complaints -- three!!!

We need to revisit the privacy rules and examine them not only from the patient perspective, but from the healthcare providers' perspective and give it more serious consideration to the practical impact these rules have from all parties' perspectives. A last-minute addendum to the Health Insurance Portability Act has not really addressed the host privacy concerns in a way that makes really anyone happy!

Wingman said...

Medical privacy is such a dicey subject - it needs to be open enough for the free flow of information in diagnosis but closed enough so your employer can't use it against you for example. When my uncle was dying from brain cancer trying to get his medical records from NYU to Sloan was near impossible and that defeats the purpose of medical privacy.

Scott - would love to talk to you more about NYC endos as it seems you have more knowledge about them than anyone - could you shoot me an e-mail at so I could ask you a couple questions.


Anonymous said...

I know of several UPMC employess (big hospital chain in Pittsburgh) who were fired for looking up records on Ben Roethlisberger of the Steelers. Privacy does not exist in this age. You can bet that your insurance agency, employer or neighbor can find out anything they want about you if they tried.

Anonymous said...

Scott, once again, you need to look at HIPAA a little closer - specifically §164.526 that gives a consumer the right to view and request amendment of their medical records. There are some exceptions but they don't apply in normal and usual situations. For instance, if you're just pissed that your BG came in too high at 250, you can't compel the provider to change it to 150 when it fact it WAS 250. However, if they note 250 and you have the copy of the lab work that shows it was indeed 150 you can request that amendment.

I pointed this out to you on DTF a couple of years ago and I'm a little dismayed that a well-informed, well-educated, well-intentioned man like you is still spreading this misinformation. :-(

Scott S said...

Once again, I think you are overstating the belief that §164.526 offers full protection. While it does require "covered entities" to document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by § 164.530(j), it frankly does very little to help a victim of medical identity theft to resolve those issues other than to enable where the theft occurred. Clean-up can be time consuming, messy and frankly, we should be ashamed that this is called a patient "protection" when compared to the Fair Credit Reporting Act, which outlines specific timeframes and specific procedures that disputes must be addressed. Sorry, I do not agree that this adequate, and much, much, much more needs to be done.

Scott S said...

Let me just add that even if a person is the victim of an violation of the HIPAA Privacy Rule, the law does not give people the right to sue. Instead, individuals must file a written complaint with the Secretary of Health and Human Services via the Office for Civil Rights. It is then within the Secretary's discretion to investigate the complaint. HHS may impose civil penalties or criminal sanctions (with corresponding prison terms) may be enforced by the Department of Justice. But aince the Privacy Rule went into effect, HHS has focused on a complaint-driven process that relies on voluntary compliance with the law. So far, even though over thousands complaints have been filed, not ONE civil monetary penalty has been issued! That's a really lame excuse for patient protection, especially if we're not even enforcing the rules on the books.

Anonymous said...

Look up "Richard Gibson" ID theft HIPAA Seattle Cancer Care Alliance and read about the penalties.

HIPAA isn't a joke - but it's up to the hospital administrators to enforce it approriately; have the correct privacy officers running the program, etc.

As for George Clooney's attitude - wait until they release information he doesn't want told about him and then his attorney's will have a much different approach.

HIPAA is to protect everyone's privacy - he is setting a bad example for those that work to enforce these laws/rules and for those nameless patients that expect the appropriate handling of their protected health information.

Anonymous said...

"They were suspended because Clooney is a celebrity, but if the same thing happened to an average person, I suspect they wouldn't have even been reprimanded."

How right you are. I am the average person. My ex-wife works in my doctors office and helped herself to my medical records and relayed info to her attorney. A few months later she accessed the records of a friend of mine and relayed that info to her attorney. Also the daughter of my friend.

I contacted OCR and they just blew it off. I contacted Willis Knighton Hospital and they accused me of mudslinging. I even contacted my doctor, and was informed how to go about finding another doctor.

comments or questions you can reach me at