Who is the guilty party of this HIPAA violation?

Tod Ferran, CISSP, QSA
By: Tod Ferran
Someone’s career may have been ruined when a hospital worker reportedly told his friend about a famous football player’s injury. You may have heard about this incident.

Adam Schefter, a sports writer and journalist for ESPN, tweeted a quick snapshot of the football player’s (Jason Pierre-Paul) medical record that he received from a friend, which showed Pierre-Paul’s finger was amputated.

Not only did the Giants pull their $60-million contract offer after hearing the news of Pierre-Paul’s injury, but this HIPAA violation will also definitely impact his contract negotiations going forward.
HIPAA Violation Examples

I don’t generally follow football, but got quite involved when I began thinking about the HIPAA implications of this incident.

The only way there would be no HIPAA violation in this case, is if Pierre-Paul gave his consent for the medical record to be published.
And that’s highly unlikely.
Its no question the JPP incident involves a HIPAA violation by at least one individual. But who?
Tweet: Its no question the JPP incident involves a HIPAA violation by at least one individual. But who? http://bit.ly/1GcNGxCTweet

Who is at fault?

The journalist who tweeted the photo? The employee who told his friend about the injury? The hospital, for not adequately training its employee? ESPN, for hiring a journalist with questionable ethics?

Technically, HIPAA violations are only applicable to healthcare providers. That means the only possible HIPAA violators are 1) the hospital where Pierre-Paul was staying, and 2) the employee who leaked personal information about the patient.

From a HIPAA standpoint, the journalist that published his medical record is technically safe. Non-healthcare providers (like the media) aren’t held to the same privacy/HIPAA standards as healthcare providers.

Because I’m not a lawyer, I’m unsure, from a legal standpoint, if a lawsuit against Schefter for unethical behavior would hold up in court.

How will they be punished?

It’s unclear right now what will happen. Sometimes the Department of Health and Human Services (HHS) shells out big fines, and sometimes they don’t. But since this is such a high-profile case that has blown up in the media, I doubt they’ll let it slide.
  • The HHS could come after the hospital with a fine.
  • The HHS could also come after the employee that leaked the information.
  • Pierre-Paul could sue the hospital for HIPAA negligence because the leak damaged his career.
  • Pierre-Paul could also individually sue the employee that leaked his medical record.
As @foremania points out in his tweet, the state in which the hospital is located (Florida) could also get involved, depending on their privacy laws.

Tweet by @foremania

Get a free HIPAA compliance dashboard demo.

Employee training

While this is an absolute tragedy for all parties involved, this is a perfect, real-life example of why HIPAA employee training is so vitally important for the protection of patient data. Unfortunately, employees are unquestionably a healthcare institution’s weakest link. Because of a single action of one misinformed, malicious, or naïve employee, an entire hospital’s reputation could be on the line.

By instituting proper training protocols, employers can help reduce the threat of incidents (like this one) occurring in their workforce.

I don’t know how much that medical employee was paid for releasing that picture, but like @karasoth says, it sure won’t be worth losing his job, medical license, being fined, and potentially getting sent to prison.

Tweet by @karasoth

This is not the first time celebrity data has been leaked to the press. In 2014, UCLA Medical Center fired 13 employees for unauthorized access to Britney Spears’ medical records.

I suggest highlighting Jason Pierre-Paul’s story to your employees as part of a special training.

Make sure you cover these points when training employees:

  • The protected data of celebrities should be treated with even more care, because of the potential to go viral if leaked
  • What to do when journalists ask questions about patients
  • The long-term consequences of a HIPAA violation, to a healthcare institution, but also to an individual employee

In the long run, this violation might turn out to be a good thing. Not for Pierre-Paul or the hospital, but for HIPAA in general. Already it has brought one of healthcare’s biggest issues to the forefront of news, and people who wouldn’t normally bother educating themselves about HIPAA.

Hopefully this incident helps both healthcare providers and employees alike to remember the fragility of patient data protection.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

Tuesday, July 14, 2015