According to Physician Practice, “The Health Insurance Portability and Accountability Act (HIPAA) requires that all patients' medical records, whether in paper or electronic format, be protected from unnecessary use or disclosure. This protection applies to everyone, including celebrities.”
For celebrities, whose lives are subject to constant public scrutiny, HIPAA provides a layer of protection. Regardless of their public image, celebrities are entitled to the same expectation of privacy as any other patient when they see a physician. Their diagnoses, treatments, and hospitalizations should remain private unless they choose to share this information.
Healthcare professionals who violate HIPAA can face consequences, including:
Read more: The complete guide to HIPAA violations
Celebrity patients face unique privacy challenges. Their names and faces render it difficult to conceal their presence in health facilities, and the public's interest in knowing about them is a powerful lure to staff.
This "celebrity effect" manifests in several ways:
The American Medical Association (AMA) emphasizes that "respecting patient privacy is a fundamental expression of respect for patient autonomy and a prerequisite for trust." They further state that physicians must protect patient privacy in all settings to the greatest extent possible.
Television personality Kim Kardashian delivered her daughter North West in 2013 at Cedars-Sinai Medical Center in Los Angeles. During this personal experience, her privacy was violated when some of the hospital staff inappropriately accessed her medical records.
The breach was discovered by routine auditing of electronic medical record systems. Five employees and one student research assistant were fired for accessing Kardashian's records for invalid medical reasons. This incident demonstrated how hospitals must remain vigilant even during happy life events.
David Blake, Cedars-Sinai’s chief privacy officer at the time, said in a statement that the hospital has “a high standard for security” and that “unauthorized access to any patient’s record is, quite simply, unacceptable.”
Following the gruesome January 2011 shooting of U.S. Representative Gabrielle Giffords, the nation waited anxiously as she received critical treatment at University Medical Center in Tucson, Arizona. During this time, hospital administrators discovered unauthorized access to her medical records.
The hospital responded by terminating three employees and a contract nurse. The incident reflected the dilemma healthcare organizations face in responding to celebrity medical emergencies with heightened public interest. It also showed how rapidly hospitals must respond to privacy violations, even in the midst of managing a crisis..
The hospital released a statement, saying the employees violated a "zero tolerance policy on patient privacy violations." The hospital notified the patients' families about the breach and said nothing from the records appears to have been made public.
In July 2011, UCLA Health System paid the federal government $865,000 to settle allegations that its employees violated federal patient privacy laws. The settlement followed investigations into multiple breaches involving celebrity patients.
Between 2005 and 2008, UCLA staff, without permission, repeatedly accessed the electronic medical records of numerous patients, including celebrities like Britney Spears, Maria Shriver, and Farrah Fawcett. The settlement forced UCLA to implement a corrective action plan monitored by the Department of Health and Human Services (HHS).
This event revealed systemic problems rather than isolated incidents. Decades of repeated unauthorized access indicated institutional failure in establishing a culture of privacy and implementing adequate security measures.
Following the death of Michael Jackson in June 2009, the Ronald Reagan UCLA Medical Center faced criticism when his medical records were viewed by employees without authorization. The hospital was fined $95,000 by state regulators, and two employees and two contract workers were terminated.
The Jackson case demonstrated that privacy concerns survive a patient and showed the challenges hospitals are placed in during periods of unprecedented public interest. It also demonstrated how quickly healthcare organizations must identify and respond to privacy breaches to maintain public trust.
NFL player Richard Collier was paralyzed after a shooting in September 2008. While hospitalized at Shands-Jacksonville Medical Center in Florida, 20 employees were fired for accessing his medical records without permission.
This event involved the equilibrium between staff nosiness and patient privacy in celebrity cases involving sport stars. This revealed that all healthcare personnel would be tempted to violate privacy protocols, necessitating education and monitoring systems.
Pop singer Britney Spears faced a number of breaches of her medical privacy when she was facing a personal crisis. In 2005, employees at Santa Monica-UCLA Medical Center improperly accessed her records when she was hospitalized to give birth.
In 2008 when, while she was at UCLA Medical Center's psychiatric ward, at least 13 personnel were fired and six suspended for inappropriately viewing her information. Six doctors were disciplined, indicating institutional problems within the institution.
The fact that these intrusions occurred repeatedly to Spears indicated how celebrities who are publicly struggling with mental problems may be particularly vulnerable to privacy invasions when they seek help.
In 2007, actor George Clooney was involved in a motorcycle accident and was treated at Palisades Medical Center in New Jersey. 27 staff employees were suspended without pay for a month after unauthorized viewing of Clooney's medical records.
Interestingly, Clooney himself was worried about the severity of the punishments, stating: "While I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers." His response indicated just how difficult it is to achieve a balance between holding privacy standards and issuing proportionate punishments.
These high-profile cases have prompted healthcare institutions to reevaluate and strengthen their privacy protocols. Many facilities have implemented:
The UCLA Health System case proved influential in driving institutional change. Beyond paying $865,000 to resolve allegations of HIPAA violations, UCLA implemented measures including:
Responding to the UCLA case, former Director of the OCR, Georgina Verdugo stated that, “Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider. Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”
Lastly, “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.”
While HIPAA provides the legal basis for patient privacy, healthcare providers must also deal with the ethical dimensions of confidentiality. The American Medical Association's Code of Ethics highlights that confidentiality is not just a legal mandate but a fundamental ethical principle since the days of the Hippocratic Oath.
For healthcare organizations, building a culture of privacy requires addressing the human factors that cause violations:
Healthcare organizations need to be transparent enough to preserve public trust while keeping the privacy of violated individuals intact and ensuring proper confidentiality about personnel actions.
These are some measures institutions can take:
Yes, while HIPAA itself doesn’t provide a private right to sue, celebrities can pursue lawsuits under state privacy or tort laws.
Yes, under the HIPAA Breach Notification Rule, covered entities must notify affected individuals when their protected health information is compromised.
Yes, HIPAA protections continue for 50 years after a person’s death.
They can use pseudonyms, sign additional confidentiality agreements, and limit who is authorized to access their records.
No, HIPAA offers equal protections to all patients, regardless of status.