Hospital draws HIPAA heat after NFL medical record tweet

'We do not tolerate violations of this kind'
By Erin McCann
09:49 PM
Share
football players

One Florida-based health system may be in some serious HIPAA hot water after one of its employee reportedly leaked an NFL player's confidential medical record to the press.

An employee at Jackson Memorial Hospital reportedly leaked the medical record of Jason Pierre-Paul, the defensive lineman star for the New York Giants, to an ESPN reporter, who then posted a portion of the player's medical record online. The medical record posted to Twitter confirmed that Pierre-Paul had his right finger amputated at the hospital, a procedure reportedly attributed to a July 4 fireworks mishap. The injury allegedly led to the New York Giants pulling Pierre-Paul's $60 million contract.

[See also: Groups hit with record $4.8M HIPAA fine.]

ESPN is not considered a covered entity or business associate under HIPAA, but Jackson Memorial Hospital is indeed bound by the law and thus liable for HIPAA privacy and security violations.

"The hospital, its employees and staff, and other covered entities and business associates have the obligation not to release PHI without the patient's consent," said David Harlow, principal at healthcare law and consulting firm The Harlow Group, in an emailed statement. "A journalist doesn't have that obligation, nor does his network."

So then, he added, it becomes a question of how the ESPN reporter got a hold of Pierre-Paul's medical record in the first place. "The hospital staffer who likely provided it is the one who has violated HIPAA," Harlow explained. And if that individual is indeed an employee of the hospital, Jackson Memorial could be in some big trouble too.

[See also: How one health system is putting an end to insider snooping.]

HIPAA violation fines involving cases of willful neglect can reach $50,000 per violation, with a $1.5 million annual maximum. 

As far as what the hospital is saying about all of this? They have launched an "aggressive internal investigation looking into these allegations," said Carlos A. Migoya, president and CEO of Jackson Health System, in a statement. "If we confirm Jackson employees or physicians violated a patient's legal right to privacy, they will be held accountable, up to and including possible termination. We do not tolerate violations of this kind."

[See also: EHR audit catches snooping employee.]

If an investigation confirms a hospital employee did provide this medical record to the press without Pierre-Paul's consent, this would be a violation of HIPAA. And it wouldn't be the health system's first HIPAA breach. In fact, over the last four years, Jackson Health System has reported three large HIPAA breaches, according to data from the U.S. Department of Health and Human Services. 

Meanwhile, Twitter was abuzz with reactions to the reports. Here are some that stood out: