One of my favorite news sources, People magazine, is reporting that George Clooney thinks that the Palisades Medical Center should go easy on the 40 employees who illegally looked at his medical records (see George Clooney Addresses the Leak of His Medical Records). The employees have been suspended without pay for a month. While I love Mr. Clooney as an actor, and am very sympathetic with his politics, on this one I think his compassion has gotten the best of him.
Unauthorized disclosures of patient information happen all the time. Most of the time it's unintentional and no harm is done. With intentional disclosures, there is a temptation to tailor punishment to motive -- specifically, to separate cases where a person looks at a record "with malice" from cases where it's "without malice". That's clearly what's going on at Palisades, and implicitly, in Mr. Clooney's head. I assume that the punishment would be different if an employee was found to be stealing Clooney's identity, or looking for his address or phone number to stalk him.
As more health care institutions convert to electronic medical records, there is increasing concern about privacy protection, and most of that concern is understandable and well-placed. The enormous benefits that can come from greater use of EMRs will go unrealized if we adopt a cavalier attitude on technologies and policies related to patient privacy. Suspending workers without pay in this case strikes me as being unbelievably lenient. If I was a patient at Palisades Medical Center, I would switch immediately to an institution that has greater respect for the trust that I've placed in them as the custodian of my records.