The article indicates that 40 employees at Palisades Medical Center in North Bergen, NJ were suspended for violating the hospital's HIPAA policies and procedures.
Based on the information in the article I suspect that the employees were found to have violated the minimum necessary provisions under the HIPAA Privacy Rule. This section of the rule provides:
For uses of protected health information, the covered entity’s policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access.As more news comes out about this I suspect this might serve as a good example of application of the minimum necessary requirements under HIPAA. If the employees further disclosed the information to third parties outside the hospital (including the media) other provisions of HIPAA might also come into play.
