Celebrities, athletes, and government officials continue to be more accessible to us. This connection is made possible by the advancements in technology and social media.
But there is a fine line between finding out that a celebrity checked into a hospital and digging through their medical records.
Since HIPAA’s enactment in 1996, we’ve witnessed almost 20 reported cases of unauthorized personnel looking up the medical records of celebrities. This usually happens when a celebrity checks into the hospital, but that’s not always the case.
We’ve aggregated the ultimate list of reported celebrity HIPAA violations. The goal of this post is to help you prepare your staff just in case a celebrity checks into your healthcare facility.
Below is a navigation list to quickly view each reported infraction, who was breached, when it occurred, and their consequences…
Fake Crime Leads to Real Crime
Jussie Smollett - March 2019
This is the latest recorded celebrity HIPAA violation as of June 2019.
During the majority of the first quarter of 2019, the media was covering what was initially thought of as a hate crime on “Empire” actor Jussie Smollett.
Smollett was admitted to Northwestern Memorial Hospital in Chicago for treatment on bruises and facial lacerations.
When Smollett first reported the attack on January 30th, it drew public outrage.
While receiving treatment, at least 50 employees at the Chicago hospital improperly reviewed Smollett’s medical records. Some employees attested that they didn’t look into his records and only searched his name within the system.
The employees who viewed his medical report without proper access were immediately fired.
A Celebrity HIPAA Violation Formerly Known as...
Prince - April 2016
In 2016 we witnessed many notable celebrity deaths, one of whom was Prince.
Six days before his death, TMZ reported that doctors gave him treatment that was “typically administered to counteract the effects of an opiate.”
As it turns out, the story they reported isn't a HIPAA violation. Although many people still question the integrity of the information that TMZ received.
If staff disclosed the information about the potential drug overdose, that would've been a breach of Prince’s rights under the HIPAA Privacy Rule.
But, as it stands, TMZ and other news media outlets that reported his alledged treatement, cannot be charged with violating HIPAA.
The New York Football HIPAA Violation
Jason Pierre-Paul - February 2016
On July 4, 2015, former New York Giants defensive end Jason Pierre-Paul suffered a devastating hand injury. He experienced the injury during a fireworks accident. He was then sent to and treated at Jackson Memorial Hospital in Miami, Florida.
Due to the injury, the hospital's medical staff amputated the middle finger on his right hand.
ESPN reporter, Adam Schefter, immediately posted details of the incident on Twitter. Schefter's tweet included a picture of Pierre-Paul’s medical records. Schefter received the leaked image of Pierre-Paul's records from two hospital employees.
Before the accident, Pierre-Paul was negotiating a $60 million contract with the Giants. This injury put that contract at risk.
This HIPAA violation resulted in two lawsuits. The first lawsuit was to ESPN. The second was to Jackson Memorial Hospital. Also, the hospital fired the two employees who released Pierre-Paul’s PHI.
The lawsuit against ESPN settled in 2017…
ESPN continues to firmly believe that it’s reporting about Mr. Pierre-Paul’s July 2015 injury, including the use of a medical chart that definitively described the seriousness of the injury and resulting treatment, was both newsworthy and journalistically appropriate,” the network stated. “Despite their different points of view, the parties have agreed to amicably resolve their dispute rather than continue their litigation
Ebola Scare Leads to Breach
Dr. Rick Sacra - September 2014
At the peak of the Ebola scare in 2014, Nebraska Medical Center in Ohama admitted Dr. Richard Sacra. He was the third American medical missionary to return to the U.S. needing treatment for the Ebola virus.
He was treated in the hospital’s biocontainment unit for 20 days. Meanwhile, two hospital employees inappropriately accessed his electronic medical record (EMR).
As a result of this HIPAA violation, the hospital fired both unauthorized employees.
HIPAA'ing up with a Kardashian
Kim Kardashian - July 2013
On June 15, 2013, Kim Kardashian gave birth to her and Kanye West’s daughter, North West. A week later the family checked out of the hospital.
On July 12, 2013, The LA Times reported that Cedars-Sinai Medical Center fired six employees. Cedars-Sinai Medical Center was where North West was born.
Five staff members accessed a single patient record while one other looked at 14 records. Kim-ye refused to respond to the blatant breach in privacy.
This HIPAA violation cost these staff members their jobs and a permanent ban from accessing any Cedars-Senai Medical Center records.
Mass Shooting Leads to Breach
U.S. Representative Gabrielle Giffords - January 2011
On January 8, 2011, the U.S. news reported that nineteen people were shot during a constituent meeting held in a supermarket parking lot in Casas Adobes, Arizona.
Tucson's University Medical Center admitted all injured from the event. The majority were in critical condition. United States Representative Gabrielle Giffords was among the injured.
While these patients received treatment, three employees accessed confidential medical records without authorization.
University Medical Center terminated all three employees including a contracted nurse. The number of patients affected by the breach wasn’t reported but the hospital notified all families involved.
Hospital Hit with Six Figure HIPAA Fine
UCLA Hospitals - July 2011
UCLA Health Systems was a frequent culprit of celebrity HIPAA violations. In 2011, UCLA had to pay a $865,000 fine for allowing the medical records of three celebrity patients be accessed by non-authorized personnel. Affected celebrities included Britney Spears, Maria Shriver, and Farrah Fawcett.
The breaches occurred between 2005 and 2009.
All UCLA hospitals in question failed to put in place efficient controls after the HIPAA infractions occurred.
The settlement was the result of many failures to remedy privacy and security deficiencies.
You've Been Hit by, You've Been Struck by a Large HIPAA Fine
Michael Jackson - June 2010
On June 25, 2009, Michael Jackson passed away due to acute propofol and benzodiazepine intoxication at his home in Los Angeles.
The LA Times reported that Ronald Reagon UCLA Medical Center personnel inappropriately accessed MJ’s medical records.
The snooping occurred five days after his death on June 30th. At least half a dozen unauthorized staff members accessed Jackson’s death certificate.
Within two weeks of his death, his death certificate was viewed more than 300 times. The hospital was fined $95,000 for privacy violations. Also, two hospital workers and two contract employees were fired.
Brutal News Anchor Robbery Leads to Violation
Anne Pressly - October 2009
On October 20, 2008, popular Little Rock, Arkansas news anchor, Anne Pressly, was brutally attacked during a robbery at her home. St. Vincent Infirmary Medical Center admitted her, but she died five days later.
During her stay, three employees accessed her electronic files to determine her condition. They later admitted that they knew they were breaking the law.
Each employee faced different penalties…
$2,500 fine with a one-year probation sentencing
$1,500 fine with a one-year probation sentencing
$5,000 fine plus 50 hours of community service to educate others on the importance of HIPAA
Nadya “Octomom” Suleman - May 2009
On May 15, 2009, HealthLeaders reported that Kaiser Permanente Bellflower Hospital in Los Angeles received a $250,000 HIPAA fine. The fine occurred due to 23 employees breaching the privacy of a patient who gave birth to octuplets.
This was the first fine of its kind under a new California state patient privacy law that went into effect on January 1st, 2009.
Kaiser terminated one employee, 14 resigned, and another eight received disciplinary action.
Many still attribute Nadya “Octomom” Suleman's claim to fame to this HIPAA violation.
Richard Collier - November 2008
On Tuesday, September 2, 2008, former Jacksonville Jaguar, Richard Collier, was shot and critically wounded outside an apartment complex at around 2:45 am.
The shooter was later identified as Tyrone Hartsfield whose motive was revenge. The April before the attack, Hartsfield was knocked out by Collier in a fight that broke out at a night club.
Collier received treatment at Shands-Jacksonville Medical Center. After his discharge, 20 hospital employees were fired for violating Collier's medical privacy. Those employees accessed Collier’s file through a computer.
Many argue that some of the employees had legitimate reasons to access Collier’s record and that Sands was too harsh.
Leave Britney's EMR Alone
Britney Spears - March 2008
In January 2008, Britney Spears checked into a psychiatric ward after refusing to take prescribed medication and acting erratically. Spears went to the previously mentioned UCLA Medical Center in Los Angeles.
Three months after the event, UCLA Medical Center fired at least 13 employees and suspended six others. They were accused of snooping into Britney Spears’ medical records.
This wasn’t the first time Britney Spears was a victim of a HIPAA violation. In September 2005, her records were viewed by several employees inappropriately at Santa Monica-UCLA Medical Center and Orthopaedic Hospital.
Breaching Dr. Douglas Ross
George Clooney - October 2007
After a motorcycle accident, George Clooney and then-girlfriend, Sarah Larson, checked into Palisades Medical Center in North Bergen, New Jersey.
Clooney suffered a broken rib and skin abrasions while Larson broke her foot. One month later, the hospital suspended 27 employees for accessing their personal medical information.
Clooney responded to the reparations, “This is the first I've heard of it. And while I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers.”
HIPAA Sting Operation
Farrah Fawcett - May 2007
Farrah Fawcett battled cancer for many years up until her tragic death in 2009.
While seeking treatment at the UCLA Medical Center, tabloids also released news about her admission.
Fawcett noticed this and in May 2007 she set up a sting operation. She withheld news from her friends and relatives of her rediagnosis to see if it leaked into the media. Within days the story she withheld was in the National Enquirer.
The employee who leaked the information was later identified as Lawanda Jackson. Jackson received at least $4,600 from the publication through checks made out to her husband.
Jackson faced up to 10 years in prison but died from complications with breast cancer before sentencing.
First Ever HIPAA Violation Sentencing
Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, Leonardo DiCaprio - October 2003
On October 29, 2003, Dr. Huping Zhou received discharge notice from the UCLA Health System. His dismissal was due to performance related reasons.
Disgruntled, over the next three weeks Zhou abused his access to the hospital’s electronic health record system. He began viewing medical records of celebrities and high-profile patients including...
Zhou accessed UCLA’s record system 323 times throughout a three week period. He later admitted to obtaining patient health information on four occasions after termination.
Zhou received a four-month sentence and $2,000 fine on April 27, 2003. The verdict was, “four misdemeanor counts of accessing and reading medical records of his supervisors and high-profile celebrities.”
It seems like whenever a celebrity requires medical attention, it leads to unauthorized viewing of medical records. Celebrities still have the same medical rights under HIPAA as the general public.
If a celebrity is ever admitted to your hospital or practice, you and your staff must understand the privacy rights of your patients, regardless of how society ranks them.