In July, HIPAA made sports headlines and even trended on Twitter when New York Giants’ defensive end, Jason Pierre-Paul, sought treatment at a Miami hospital after wounding his hand while handling fireworks. This became common knowledge after ESPN reporter Adam Schefter tweeted a photo taken of Paul’s medical record with a caption stating that ESPN had obtained medical charts and it was documented that Paul’s finger had been amputated. This tweeted revelation created an immediate outcry from NFL players and fans claiming privacy and HIPAA violations against the reporter and ESPN. However, a further look at HIPAA reveals that it doesn’t even apply to the reporter and ESPN.

The Health Insurance Portability and Accountability Act of 1996 and Privacy Rule established safeguards regarding when protected health information (PHI) held by covered entities and business associates may be used and disclosed. As defined by HIPAA, covered entities include 1) healthcare providers, 2) a health plan and 3) a healthcare clearinghouse. A business associate is a person or organization that performs functions on behalf of, or provides certain services to a covered entity involving access to PHI. The intent behind HIPAA was to force covered entities and business associates to control the ways they disclosed PHI. An entity or individual that does not meet the definition of a covered entity or business associate, is not required to comply with HIPAA rules. Consequently, in this case HIPAA is not applicable because ESPN is a news organization and not a covered entity or business associate. However, Jackson Health System, where Paul was treated, could be facing potential penalties for breaching patient privacy if Paul never gave his consent to disclose his medical record.

Unfortunately, this isn’t the first time that celebrity medical records have been improperly accessed. In 2007, more than two dozen employees at a hospital in New Jersey were suspended after snooping through George Clooney’s medical records and releasing his medical information to the press. Many employees not involved with Clooney’s care had logged into the hospital’s electronic medical record system to view Clooney’s file. In 2011, the UCLA Health System reached a settlement with the government to pay $865,000 after complaints had been filed that employees were inappropriately accessing multiple celebrities’ medical records including Britney Spears, Farah Fawcett and then-California First Lady Maria Shriver.

Covered entities and business associates need to be aware that their employees snooping through medical records can have significant consequences. A former researcher from UCLA, Huping Zhou admitted to accessing and reading through the medical records of celebrities and fellow co-workers out of mere curiosity and without a valid medical reason. While HIPAA does not create a private right of action for a patient to sue for a violation, criminal enforcement actions can be brought by the Department of Justice. Criminal sanctions may be imposed when a person knowingly and in violation of this part – obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person. The Zhou case had the distinction of being the first that sentenced an individual to prison under HIPAA for snooping through medical records. Zhou was sentenced to four months in prison and a $2,000 fine. It did not matter that there wasn’t any evidence of misuse or an attempt to profit from the health information. The US Court of Appeals for the Ninth Circuit upheld Zhou’s conviction rejecting any contention that his conviction should be overturned because he had not known he was violating HIPAA. Under HIPAA, the Court noted that the prosecution only had to prove that Zhou had knowingly accessed the medical records and such access was not permitted under HIPAA.

Given the potentially large amount of staff employed by hospital and health systems, it can be hard for hospitals to police everyone, however hospitals need to remain vigilant and establish clear HIPAA policies. Every employee who has the potential to access PHI must be trained in these HIPAA policies and informed of the sanctions that may be imposed if they fail to abide by these policies. Hospitals and health systems should restrict employee access to PHI to only the minimum necessary and password-protect medical files while reminding employees that sharing of passwords is strictly prohibited. With the explosion of social media platforms such as Twitter and Instagram, vigilance regarding patient privacy is in order.

Ashley Thomas

Ashley Thomas is a licensed attorney and incoming associate at Hall, Render, Killian, Heath & Lyman. She is a 2014 graduate of Vanderbilt Law.

Tagged with:

Comments are closed.