For a few days in July 2015, HIPAA became an unavoidable topic of conversation. It trended on Twitter, was the subject of numerous news stories, and was otherwise the hot topic of the day. How and why did this happen? A tweet of a professional football player’s medical record was sent out by a reporter for a major sports network. The resulting firestorm of commentary and viewpoints showed just how pervasive feelings of privacy about medical information run as well as a general deficiency of knowledge about what HIPAA is and does.
The debate started on July 8th when a reporter posted a picture of a football player’s purported medical record. The medical record show a significant medical procedure that the player underwent. Following the tweet, public reaction was swift and widespread. For the most part, public reaction was in favor of the player’s right to privacy and condemned the reporter and his organization for determining it was acceptable to send out the tweet. However, as the messages and some stories continued, a number of statements were made as to the repercussions that the reporter should face. Many alleged that the reporter and his organization violated HIPAA by posting the medical record.
However, the reporter and his organization are not subject to HIPAA in this context and do not need to follow the restrictions imposed by HIPAA. Their use of the information will not give rise to liability. HIPAA is driven by context. It applies to very clearly defined categories of individuals and entities. The media, generally, does not fall within HIPAA’s scope of coverage.
If the reporter and his organization do not need to comply with HIPAA, then where is the issue? The issue lies with the facility where the alleged medical information originated. The football player sought and received treatment from a hospital. Clearly a hospital is a healthcare provider and subject to HIPAA compliance requirements. Accordingly, even though it may not seem fair, in the contest of the football player, the hospital is the most likely party to receive a fine or other penalty.
How then was the medical released? If the player consented to the release, then no problem exists. However, there is no evidence that any such consent was provided. No commentary or statements have been available from the player. As such, it must be assumed that the record was released without knowledge.
If the record was released without consent, then it is safe to guess that the record was obtained as a result of snooping or just released without consent. Either scenario demonstrates either a disregard for HIPAA privacy requirements, or a lack of awareness. Either alternative does not paint a good picture. For sake of argument, the snooping issue should be considered. Snooping is a known issue in the healthcare world. In fact, snooping or insider access issues are typically identified as the most prevalent cause of medical information breaches.
If the issue is so prevalent, why does it not receive more widespread attention? Typically, the improper access occurs in the normal course of daily operations and no high-profile individuals are impacted. However, when a celebrity such as the football player or Kim Kardashian (in 2013) or the first Ebola patient (in 2014), then the issue draws mainstream media attention. The important thing to remember is that improper access issue occur frequently and not just when famous patients are involved.
What can be done to help stop issues of improper access? Clearly addressing and containing any such issues fall under HIPAA compliance obligations. A good way to address the issue is to audit and monitor access of medical records. This can be random sampling of access to ensure that all access his for a legitimate reason and to flag the so-called “VIP” patients for extra monitoring. Vigilance is necessary for healthcare organizations to avoid running into trouble under HIPAA.
As indicated above, the hospital where the football player is the party most likely to receive a financial penalty or face some other repercussion. That does not mean the reporter and his organization are escaping without any negative consequence; the court of public opinion is taking its toll there.