Monday Night HIPAA: HIPAA Hits Prime Time

rugby-596762_1280

For a few days in July 2015, HIPAA became an unavoidable topic of conversation. It trended on Twitter, was the subject of numerous news stories, and was otherwise the hot topic of the day. How and why did this happen? A tweet of a professional football player’s medical record was sent out by a reporter for a major sports network. The resulting firestorm of commentary and viewpoints showed just how pervasive feelings of privacy about medical information run as well as a general deficiency of knowledge about what HIPAA is and does.

The debate started on July 8th when a reporter posted a picture of a football player’s purported medical record. The medical record show a significant medical procedure that the player underwent. Following the tweet, public reaction was swift and widespread. For the most part, public reaction was in favor of the player’s right to privacy and condemned the reporter and his organization for determining it was acceptable to send out the tweet. However, as the messages and some stories continued, a number of statements were made as to the repercussions that the reporter should face. Many alleged that the reporter and his organization violated HIPAA by posting the medical record.

However, the reporter and his organization are not subject to HIPAA in this context and do not need to follow the restrictions imposed by HIPAA. Their use of the information will not give rise to liability.  HIPAA is driven by context. It applies to very clearly defined categories of individuals and entities. The media, generally, does not fall within HIPAA’s scope of coverage.

If the reporter and his organization do not need to comply with HIPAA, then where is the issue? The issue lies with the facility where the alleged medical information originated. The football player sought and received treatment from a hospital. Clearly a hospital is a healthcare provider and subject to HIPAA compliance requirements. Accordingly, even though it may not seem fair, in the contest of the football player, the hospital is the most likely party to receive a fine or other penalty.

How then was the medical released? If the player consented to the release, then no problem exists. However, there is no evidence that any such consent was provided. No commentary or statements have been available from the player. As such, it must be assumed that the record was released without knowledge.

If the record was released without consent, then it is safe to guess that the record was obtained as a result of snooping or just released without consent. Either scenario demonstrates either a disregard for HIPAA privacy requirements, or a lack of awareness. Either alternative does not paint a good picture. For sake of argument, the snooping issue should be considered. Snooping is a known issue in the healthcare world. In fact, snooping or insider access issues are typically identified as the most prevalent cause of medical information breaches.

If the issue is so prevalent, why does it not receive more widespread attention? Typically, the improper access occurs in the normal course of daily operations and no high-profile individuals are impacted. However, when a celebrity such as the football player or Kim Kardashian (in 2013) or the first Ebola patient (in 2014), then the issue draws mainstream media attention. The important thing to remember is that improper access issue occur frequently and not just when famous patients are involved.

What can be done to help stop issues of improper access? Clearly addressing and containing any such issues fall under HIPAA compliance obligations. A good way to address the issue is to audit and monitor access of medical records. This can be random sampling of access to ensure that all access his for a legitimate reason and to flag the so-called “VIP” patients for extra monitoring. Vigilance is necessary for healthcare organizations to avoid running into trouble under HIPAA.

As indicated above, the hospital where the football player is the party most likely to receive a financial penalty or face some other repercussion. That does not mean the reporter and his organization are escaping without any negative consequence; the court of public opinion is taking its toll there.

Advertisements

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, Health IT, HIPAA, HITECH and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s