Celebrity HIPAA Violations: Lessons from the Jussie Smollett Incident

When healthcare providers gain access to celebrities’ medical records, HIPAA violations become newsworthy. CBS Chicago interviewed Erin Jackson of Jackson LLP to understand the actions of a hospital following a breach.

In February 2019, television actor Jussie Smollett was charged with filing a false police report after allegedly staging his own assault. The stunning arrest created a national media firestorm, and as a result, Smollet became the subject of intense curiosity.

Weeks later, the infamous case sent another shockwave through Chicago’s medical community. Northwestern Memorial, the hospital that had treated Smollett for his injuries, fired approximately 40 employees for accessing the actor’s protected health information in violation of HIPAA.

Following the dismissal, a few of the fired employees reached out to the media, stoking sentiment that Northwestern’s response was excessive. As the story broke, CBS Chicago interviewed healthcare law expert Erin Jackson, Managing Partner at Jackson LLP, to make sense of the hospital’s actions. Read on for a breakdown of the issues, or view Erin’s interview.

What Is a HIPAA Breach?

The Health Insurance Portability and Accountability Act (HIPAA) permits access to protected health information (PHI) by providers solely for treatment, payment, or healthcare operations. Employees should have only the minimum necessary PHI to do their jobs. In other words, if you are not involved in a patient’s treatment, you should not have any access to his PHI. Accessing medical records without any legitimate work reason is a clear violation.

PHI encompasses a broad range of information– electronic, verbal, and paper. All past, present, and future information is protected, including any information that can be tied to an individual. There are 18 identifiers including name, address, and fingerprints. Therefore, even just knowing the identity (i.e., name) of a patient not in your care can constitute a breach.

Northwestern likely learned that employees violated HIPAA through digitally recorded access logs, which potentially alerted Northwestern that more people viewed Jussie Smollett’s records than were authorized. In turn, Northwestern may have brought in a 3^rd-party cybersecurity firm to determine who accessed the PHI without a valid reason.

Can the Former Employees Claim Wrongful Termination?

When the news broke, the question arose: was Northwestern unjustified in terminating its employees? Some of the dismissed employees came forward and claimed that they merely scrolled past Smollett’s name while searching for another patient’s records.

However, Northwestern was within its rights to fire its employees. In Illinois, an employer can discharge an at-will employee for “good cause, for no cause, or for a cause that some might view as morally indefensible.”

Moreover, HIPAA exists to protect patients, not healthcare workers. Under Northwestern’s formal policy, accessing information where no treatment relationship or other legitimate business interest is a “Level 3 violation.” According to the policy, such an infraction may be punishable by termination and possible legal action.

Could Northwestern Be Held Liable?

In a 2014 case, an Indiana Appellate Court found Walgreens liable for an employee’s HIPAA violation and ordered the organization to pay over $1 million in damages. The court rejected Walgreens’ argument that they could not be held responsible for its employee’s actions, even though Walgreens’ stated that 1) the employee was acting outside of the scope of her employment and 2) she had willfully ignored Walgreens’ strict policies designed to prevent such breaches. If an Illinois court holds in a similar manner, Northwestern could be found liable for all of its employees’ HIPAA violations and forced to pay massive damages.

Did Northwestern Overreact?

HIPAA penalties are different depending on the institution and the severity of the violation. All HIPAA violations must be investigated and acted upon by the organization, which needs to find out:

1. how the violation occurred
2. the implications on patients’ privacy
3. the potential legal issues resulting from the violation
4. actions regulators can take.

The organization must take steps to prevent similar occurrences in the future. If the breach was unintentional or made in good faith and with proper authorization, it is not considered a “reportable” breach and would not require disciplinary action.

HIPAA penalties are not something to ignore. Civil penalties can range from $100 to $50,000 — depending if the violation was corrected within 30 days and whether the violation was due to willful neglect or reasonable cause. Criminal penalties are handled by the Department of Justice and can range from $50,000 to $250,000 and include 1 to 10 years of jail time.

Previous Celebrity HIPAA-Related Dismissals

HIPAA breaches are common in high profile cases. Humans are curious by nature, and healthcare professionals want to learn more about celebrity patients. As a result, Northwestern is not the first hospital to deal with HIPAA violations after a celebrity received treatment:

• 2007: George Clooney was in a motorcycle accident in New Jersey. The hospital had to suspend 27 employees without pay for reading through Clooney’s PHI.
• 2008:  Britney Spears visited a hospital that later fired or suspended 19 of its employees for accessing her medical records.
• 2009: Nadya Suleman, better known as the Octomom, gave birth in a California hospital. During her stay, 21 employees and two physicians unrelated to her care accessed her records. As a result, 15 employees either resigned or received dismissals, and 8 faced disciplinary actions. The hospital paid a $250,000 fine for failing to protect Ms. Suleman’s PHI.
• 2013:  Kim Kardashian’s hospital stay ended with 6 hospital employees fired.

In the end, Northwestern’s termination of approximately 40 employees stands out only because this is a higher number than the other high-profile cases.

Preventing Future Violations

Most likely, Northwestern has launched a serious investigation with the goal of creating a system that prevents similar events from happening in the future. Given the temptation to glean information about celebrities, for example,  Northwestern could have reminded staff of HIPAA policies, and how they still apply even when dealing with public figures. In addition, the hospital could have electronically fenced Smollett’s records so that only select, authorized personnel had access.

What Happens if a Health Care Professional Accidentally Violates HIPAA?

If you are a healthcare provider and believe you have accidentally violated HIPAA, you do not need to panic. An accidental HIPAA violation does not guarantee a huge penalty as long as you take the proper steps.

First, report the incident to the organization’s Privacy Officer as soon as possible. That person will then need to determine the actions that must be taken to reduce risk and potential harm of the violation. Finally, the organization may need to file a report with the Department of Health and Human Services’ Office for Civil Rights (OCR).

Everyday Lessons for Providers

Although the Jussie Smollet incident offers a larger-than-life example of the risks of PHI access, there are lessons for all healthcare practices:

• HIPAA violations can seem trivial—such as merely seeing a patient’s name on a roster—but can have serious repercussions.
• By law, the minimum necessary staff members should have access to patient records.
• Organizations need to have clear, written HIPAA policies.
• It is essential to train staff on the policies.
• When a breach occurs, both the employee and the organization need to act quickly to assess the potential harm, reduce future risk, and file a report.
• Organizations have the right to dismiss employees for HIPAA infractions, even if they are inadvertent.

What Do You Think?

Do you feel confident that you have clear HIPAA policies? Does your staff understand the policies and procedures for dealing with violations? Finally, do you think Northwestern’s response was excessive?

Please let us know in the comments below and contact Jackson LLP if you need to assess the HIPAA violation risk of a medical, dental, or therapy practice in Illinois, California, Connecticut, Florida, Michigan, New York, Texas, or Wisconsin.