They all were involved in reported HIPAA privacy breaches due to their celebrity status.
While Kim Kardashian was in the hospital giving birth to her first child with Kanye West, multiple employees were fired for allegedly accessing her medical records.
In May 2019, one news outlet reported that 50 Northwestern Memorial Hospital employees “may have been fired” for looking at former Empire actor Jussie Smollett’s medical records. Smollett was treated at Northwestern for injuries he suffered in what he originally reported as an assault; but was later determined to be a fraudulent incident.
This summer, the compliance and sports worlds collided when Dallas Cowboys Running Back Ezekiel Elliott’s COVID-19 results went viral.
Elliot issued his official, one-word response to the news on twitter: “HIPAA ??” Elliot went on to deny reports that his own agent leaked the news about his COVID-19 status, tweeting that his agent confirmed the information AFTER it was leaked to the media.
Snooping, snooping, is no fun. Snooping, snooping, hurts someone.
And sometimes, people snoop just out of curiosity. For example, a former temporary staffer of Northwestern Memorial Hospital reportedly accessed the medical records of 682 patients without a valid reason.
You don't have to live in Los Angeles to have celebrities. A celebrity could be an athlete, a beloved and well-known veteran or teacher, or even the beneficiary of a popular GoFundMe campaign. Who will your employees be curious about?
Are you doing enough to prevent snooping?
Are your employees trained about the consequences of breaching patient information in this way? What would your employees find more compelling – your HIPAA policies and their consequences, or the potential reward for leaking high-profile information?
Are your employees trained to understand that COVID-19 status is sensitive PHI – with higher stakes for the patient?
Does your organization segregate patient records access to minimize the likelihood of a breach?
When your organization treats high-profile patients, are extra precautions taken to protect their PHI (for example, admitting/treating them under an alias)?
Do you conduct regular information system activity review audits, to both prevent and detect unauthorized records access?