Good grief. When I saw this headline, my first thought was that maybe OurMine had hacked the NY Daily News, but it seems the headline was for real. Justin Bieber had reportedly sought emergency medical care, an employee had been fired for allegedly accessing his medical records without necessity, and somehow the press found out about it all.
How did that happen?
I have no idea whether the Northwell Health employee who was terminated for allegedly accessing his medical records did what she is accused of doing. That’s a second – and important – issue, to be sure. But how did news of this all make it to a newspaper? If the media found out about it from the legal action the fired employee took, did the suit actually name Bieber, and if so, did it have to? Or did the media find out from some other source? If so, who or what? Was there a HIPAA breach in addition to any HIPAA breach Northwell had alleged?
I don’t know if HHS will investigate this seeming breach given how overwhelmed they are with breaches to investigate, but I have a number of questions I’d like answered, including:
- Does Northwell Health have logs that show whether or not the employee accessed Mr. Bieber’s records? If they do have logs, did they show the proof of their allegations to the employee and her counsel? If not, why not, and could this media circus have been avoided by the way they handled the accusation against the employee?
- Because of Mr. Bieber’s celebrity status, many systems would have additional precautions in place, such as using a fake name and “break the glass” security to further limit access to files. From media reports, it appears that Mr. Bieber may have been admitted under an alias, but what other privacy protections did Northwell have in place?
- If Mr. Bieber is named in the complaint, did Northwell Health make any motion to seal the employment complaint to protect Mr. Bieber’s privacy?
It’s possible or even likely that I may be more concerned about this incident/disclosure than Mr. Bieber may be. As a healthcare professional, a privacy advocate, and as a patient of the Northwell Health System, I think all patients should be concerned by what happened to him because a failure to protect his privacy – when there should have been heightened vigilance to protect it – doesn’t bode well for the protection of the privacy of us “little folks.”
So yes, I will be following this case. Northwell Health did not immediately reply to a preliminary inquiry I sent them. That inquiry included whether “break the glass” protection had been in place for Bieber’s records, whether Northwell has logs/audits showing access to Bieber’s records that demonstrate that the employee did access them, and whether the former employee had any obligation not to reveal Mr. Bieber’s identity or details in any employment complaint.
This post will be updated as more information becomes available.