Proskauer on Privacy will never be confused with TMZ, but we would be remiss if we failed to report on the high profile privacy scandal unfolding in the backyard of our Los Angeles office. As we previously reported, California’s data breach notification law was amended effective January 1, 2008, to include breaches of medical and health insurance information. A number of recent incidents illustrate once again that it is not enough to have written policies and procedures in place for the handling of sensitive information – employee training is essential.
The Los Angeles Times recently reported that over 120 employees viewed the medical records and personal information of approximately 900 celebrity patients at UCLA Medical Center between April 2003 and May 2007. According to the latest report, the unauthorized snooping continued even after the facility cracked down on peeking employees in April.
One employee, former administrative specialist Lawanda Jackson, has been indicted for obtaining individually identifiable health information for commercial advantage. Jackson allegedly sold information about Farrah Fawcett’s battle with cancer to a national media outlet.
According to an incident report by the California Department of Health Services, an unnamed celebrity patient informed the facility as early as 2004 that confidential information about his or her hospitalization had been published in a national newspaper.
The Los Angeles incident is not the only hospital snooping scandal currently making headlines. In Michigan, employees at Sparrow Hospital were disciplined for peeking at the medical records of Governor Jennifer Granholm when she was admitted in April 2008 for surgery. The hospital did not release any additional information about the incident, citing federal privacy law.
Companies that want to stay off the front page must ensure that personnel receive and are regularly trained regarding company policies and procedures governing the protection of personally identifiable information, and must consistently enforce those policies and procedures.