Palisades hospital in New Jersey has suspended 27 employees for accessing actor George Clooney's medical record after he was treated there following a motorcycle crash. I don't disagree with the employees' suspension, but the hospital spokesperson told reporters, "What these individuals did was violate a HIPAA regulation. We can not say that they actually released any of this information to the media."
It's clear that someone did leak to the media information from his medical record, but the hospital doesn't know who. Additionally, these employees had access to patient EMR data as employees of a covered entity (the hospital). So I'm picking a nit here, but I do believe the hospital has admitted that it doesn't know which of the 27 employees suspended, if any, actually violated HIPAA. As far as I can tell they were, under the law, authorized to view Clooney's medical record. Of course, what they did was still inappropriate, unprofessional, unethical, and probably a violation of hospital policy.
But perhaps the best-slash-worst part of this whole situation is that a union rep defending some of the suspended employees has been quoted as saying, "There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed."