A hospital's compliance program is never tested more than when a hospital employee, public figure or celebrity is a patient. In a struggle between human curiosity and HIPAA policies and procedures, curiosity often wins. Case in point -- the disclosure last month of George Clooney's medical records when he was admitted as a patient to Palisades Medical Center Hospital in New Jersey after a motorcycle accident. The press later reported that dozens of employees, including doctors and nurses, were suspended for unauthorized access to Clooney's medical records. At a recent health care compliance conference, I asked an audience of privacy officers and compliance professionals whether they would fire an employee for unauthorized access to the health information of a public figure. A show of hands indicated that the audience was evenly split on that question. While there is room for debate as to what constitutes a firing offense, there is no question that privacy policies must be rigorously and consistently enforced. One of the best ways to do that is through the use of audit logs. What if the employee says someone else used their user name and password? Ideally, access logs should identify the workstation name and/or IP address. Also consider whether building access logs or security cameras can establish the employee's location at the time of the incident.
