We could not pass up an opportunity to mention Britney Spears here on our blog. As reported in this article, UCLA Medical Center is imposing discipline against 13 employees who looked at Britney’s medical records without permission. This seems to be a trend. As reported here, 27 employees at Palisades Medical Center in North Bergen, New Jersey, were suspended back in October for viewing George Clooney’s medical records after a motorcycle accident. Other incidents of medical records snooping are reported here.
Why are hospitals so concerned and why can’t doctors and nurses snoop on their favorite celebrity? The Health Insurance Portability and Accountability Act (HIPAA). Hospitals are required to protect the medical records for Britney, George, and any other patient. Employers likewise are required to protect personal health information of employees. Penalties for using patient information without prior consent could be subject to financial penalties as high as $250,000 or 10 years in jail, and the Department of Health and Human Services recently announced that it will conduct surprise audits of HIPAA compliance in hospitals.
Can Britney Spears or George Clooney sue the hospitals for unauthorized access to their medical records? The federal courts have said no, there is no private right of action under HIPAA. But other theories of liability could potentially support a cause of action under state law, such as for breach of privacy or negligent infliction of emotional distress. In addition, an employer who fails to protect its employees’ protected health information could see state law claims thrown into the mix and references to HIPAA privacy rights to bolster those state law claims.