A Cautionary Tale of Celebrity Breach

The company I work with, 4MedPlus, is based in the beautiful city of Chicago, Illinois with a mission to provide critical compliance education. Many courses are dedicated to the subject of HIPAA and security in one form or another. We regularly present workshops, always including and specifically addressing the ‘minimum necessary standard’ which is an important protection and requirement of the HIPAA Privacy Rule.

This standard is based on the practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The standard essentially requires the implementation of safeguards to limit unnecessary or inappropriate access to and disclosure of protected health information (PHI).

Last week however, it was reported that at least fifty people immediately lost their jobs at one of the premier medical employers in Chicago, Northwestern University Hospital. All over a ‘minimum necessary standard’ breach. Why? Because a minor celebrity of a semi-popular show, Jussie Smollett, had arrived following a questionable attack reported widely in the news.

Similarly, a few years ago at UCLA Medical Center in Los Angeles, Brittany Spears had her privacy breached immediately following a specific staff memo with explicit warnings against this very behavior. Again, many lost their jobs including both staff members as well as physicians.

EVERYONE and I mean EVERY SINGLE EMPLOYEE at Northwestern and UCLA Hospitals (any hospital) would be required to take HIPAA training each year and most facilities also necessitate signed confidentiality agreements as a condition of employment. So how and why did this happen?

Truth be told, as a Chief Learning Officer, I understand that annual compliance training can be boring. Anything that forces us to repeat learning and repeat and repeat may go in one ear and out the other; and signing paperwork when onboarding at a new job is often an exercise in hurried completion. However, this standard is extremely important to patient privacy and should be taught as such. There should be reminders in all areas where records are accessed. And in cases of incoming celebrities, perhaps more careful oversight of access should be implemented.

Whether Northwestern took these extra steps or not, the question remains, is this a condition of curiosity or greed or both? Records of famous people may be sold to tabloids and others for significant sums, however most who access the records have no nefarious intent, they just want to be “in the know”. Employees should understand from day one (and every year thereafter) through their HIPAA education, that failing to follow this legal instruction could mean immediate termination, potential fines and possible incarceration. And employers who neglect these extra steps should remind themselves that audits and legal consequences will follow any such publicly announced breach.

Because, not only does this level of breach result in sweeping job loss, HIPAA also calls for civil and criminal fines to be paid by the employer and/or the individual with some cases resulting in imprisonment for the violator. So, whether you are a healthcare employer, a medical staff member or a compliance officer, you should carefully review the rules and regulations associated with the HIPAA Minimum Necessary Standard. Moreover, this principle should be highlighted and reinforced by sharing breach results like this with vulnerable communities.

Because NO celebrity news is worth losing your job over. And even if you did receive a tabloid payment for delivering the stolen information, it would never be enough to pay the fines or resolve the legal trouble following the likely discovery. Be smart.

FOR HHS GUIDANCE REGARDING THIS STANDARD: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html

FOR ONLINE ACCREDITED EDUCATION (including a focus on the minimum necessary requirement), please visit our HIPAA education category: https://www.4medtrainingcatalog.com/online-store/HIPAA-Compliance-Training-c17957757

Author:  Wendy Whitmore, CLO