SBNation ran a story showing that ESPN’s Adam Schefter had tweeted that Jason Pierre-Paul, a New York Giants defensive end, had suffered the amputation of a finger as a result of a Fourth of July fireworks accident and that Schefter had included in the tweet a picture of Pierre-Paul’s medical records showing the amputation. The SBNation article postulated that releasing his records without his consent was a HIPAA violation. The article asserted that individuals must consent to have their medical information shared publicly.
Although there is some truth to that assertion, HIPAA’s Privacy Rule specifies many situations in which the patient need not consent for a covered entity or a business associate of one to share health information publicly. For example, no consent is needed to report child abuse, crime on the premises, or information necessary to locate a missing person or to prevent a serious and imminent harm to a named individual or the public, among others. Further, a patient may waive his or her HIPAA rights except as a condition to receive treatment. Thus, a professional athlete could “waive” HIPAA and other confidentiality rights as a condition of getting a professional contract because, as the author correctly pointed out in the article, a player’s physical condition is certainly newsworthy.
The author also pointed out that Pierre-Paul’s agent, not the NFL franchise, could have violated HIPAA by obtaining the medical records and providing them to the ESPN reporter Schefter. I have not read the contract, but it is certainly conceivable that it specifies that the agent is the agent for either the player or the Giants or both and may waive the HIPAA rights. Note that, by its terms, HIPAA applies only to covered entities—health plans, health care providers, health care clearinghouses, and business associates of those entities, such as those who provide a service for a covered entity involving health information, such as a billing service or a transcription service. The so-called HITECH Act added “other individuals” to the list of those who could commit a criminal HIPAA violation, but all the indictments under this theory have been for a serious misuse of health information, such as the long-term care facility visitor who walked off with such information to use it to commit identity theft.
The SBNation article concluded by saying that the ethics of the situation were a different matter, but that, legally speaking, ESPN and the reporter, Schefter, were in the clear. I would say that they are most likely in the clear. What if someone else, such as the athlete’s or the team’s agent or some unrelated third party, had improperly obtained the records and had then given or sold the records to the reporter? The provider that either had failed to safeguard the chart or had improperly disclosed it to Schefter or to someone who eventually disclosed it to Schefter could fact criminal or civil liability. The covered entity’s release of information policy should spell out the conditions for a proper release. And the professional sports team should review the language purporting to allow this disclosure in its contract’s publicity clause.
Also, an article from the April 14, 2015, online issue of Healthcare IT News, “NFL completes technology integration,” states that “EHR, imaging, video and communications technologies [are] now integrated league-wide [in the NFL] to accelerate diagnosis, treatment and care coordination.” So one could also wonder whether the EHR was secure.
Further, some comments in/about the articles and/or on the tweet itself suggest that a collective bargaining agreement (“CBA”) waives players’ HIPAA rights.
In short, too many questions still remain to be answered to make a definitive statement about whether the release of that medical information was indeed a HIPAA violation.
If you wonder what to do if you experience a breach, take a look at my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: All You Need to Know, available on the Veterans Press website.