CHICAGO (CBS) -- CBS 2 obtained the policies that spell out why dozens of Northwestern Memorial Hospital workers may have been fired in connection with "Empire" actor Jussie Smollett's case.
The former employees say they were fired for inappropriately accessing Smollett's medical records.
"Prevention is best," said attorney Erin Jackson.
That's why Jackson, who advises health care providers on HIPAA compliance, said Northwestern likely moved to terminate several employees accused of accessing those records.
"At some point they'll have to report the breach to the Department of Health and Human Services, and at some point they also need to tell Jussie that his records were accessed in an unauthorized way," she said.
Jackson does not advise Northwestern, but she says federal HIPAA laws are very clear.
"HIPAA has a requirement that people only have access to the minimum necessary information to do their jobs, so if they're not involved in treating him, they shouldn't have access to even his name," she said. "The consequences are grave. We're talking about huge fines, potentially criminal liability."
Sources tell CBS 2 possibly 60 or more Northwestern employees were fired for unauthorized access to Smollett's records.
CBS 2 obtained a copy of the Northwestern policies and procedures, which states a level 1 violation like misdialing a fax number would result in retraining. Level 2 violations, like sharing a password, would lead to human resources being notified. Level 3 violations, which include intentionally accessing a patient's record for which he/she has no business purpose to do so are punishable by termination or legal action.
An administrative worker who asked not to be identified is one of the latest to contact CBS 2 about her firing.
"It hurts that you work so hard, and you sacrificed so much for a company. And to just be accused of something and just terminated," she said.
She says she was fired for a HIPAA violation that she "had looked up a similar name of a high profile person."
She says it was not the actual name but a similar name.
"The name that they showed me that I looked up had a Jr. at the end of it, so I was thinking the whole time, who is this high profile patient with the last name Junior," she said.
But Jackson said with privacy concerns so top of mind, in general, there is zero tolerance for any breaches.
"Part of being a great medical center is being able to protect your patients' privacy, and if you can't do that, you're going to lose the trust of patients," she said.
Jackson said in addition to the potential federal penalties, Northwestern could face civil action if Smollett chooses to sue the hospital for violating his privacy.
Northwestern is still not commenting on the terminations, but CBS 2 has learned they are not the only ones investigating breaches.
Friday the Chicago Police Department confirmed an internal investigation is underway to try to determine who leaked information to the media.
for more features.