HIPAA Questions that need answers

In July of 2015 New York Giant’s defensive end Jason Pierre-Paul rushed to the Jackson Memorial Hospital in Miami after sustaining a hand injury as a result of an accident involving fireworks. The incident couldn’t have come at a worse time for Pierre-Paul, who was in the midst of a 60 million dollar contract negotiation. While initially details about the extent of the injury were scarce, ESPN’s Adam Schefter soon published pictures of the football star’s hospital charts revealing that a finger on his right hand had been amputated. Releasing this private medical information was undoubtedly a violation of Pierre-Paul’s privacy and of questionable journalistic integrity but was not technically a HIPAA violation, at least not on the part of Schefter and ESPN. Under HIPAA rules ESPN and their reporters are not considered to be either covered entities or business associates and therefore have no regulatory liability from the release of this information. However, a patient’s PHI (protected health information) had been disclosed without authorization, and someone had to be responsible.

Immediately questions started to fly as to how Schefter had obtained medical charts directly from the hospital. After the Jackson Health System began an internal investigation to determine who was responsible for the breach, ESPN made a statement claiming that the information had been sent to them unsolicited and they had not monetarily compensated the persons responsible. ESPN further stated that the decision to publish the PHI was protected under the first amendment. While ESPN and Schefter are now being sued by Pierre-Paul for  the invasion of privacy their lawyers are making similar claims about first amendment protections. Whether or not that lawsuit will ultimately be successful has yet to be seen although a pre-trial motion for dismissal has been denied by a federal judge allowing the suit to move forward.

This is not the first time that the Miami-based Jackson Health System has found itself accused of being the source of a HIPAA privacy violation. The health organization has already admitted fault for HIPAA violations twice before in 2012 and 2013. Not much is yet known about the results of the hospital’s own internal investigation into the incident other than that eventually two employees were fired. Nurse Immacula Richmond and secretary Brenda Johnson had their employment contracts terminated as a result of the privacy breach. However, the hospital has not stated that they were responsible for the disclosure of PHI to the media, only that they had been found to have inappropriately accessed the NFL player’s medical records.

The Department of Health and Human Services, who are responsible for investigating HIPAA violations, has also remained quiet about the situation. When pressed for comment, spokeswoman Rachel Seeger only said that the agency is “aware of the incident.” It is worth noting that HHS policy is to not comment or release information regarding current or potential investigations. I think it is safe to assume that the HHS has or is currently looking into the matter. Under HIPAA rules, willfully disclosing PHI for personal gain is a felony that carries up to a 10-year prison sentence. While the Jackson Health System and ESPN haven’t volunteered any information that would indicate that the information was purchased from hospital employees, there are a lot of unanswered questions.

Surely two employees of the healthcare industry would know that what they were doing was a serious HIPAA violation. Why would they disclose this information directly to an ESPN reporter unsolicited and without any expectation of compensation? Did the hospital’s investigation uncover the true perpetrator or were these two employees simply guilty of snooping? Are the string of HIPAA violations in the Jackson Health System part of a bigger problem? Do we believe that Adam Schefter and ESPN did not solicit this information from hospital employees? Currently, there are more questions than answers revolving around what occurred at Jackson Memorial Hospital last July but this matter is far from closed.

It is extremely unlikely that the HHS would let such a highly publicized HIPAA violation go unpunished. When a HIPAA investigation leads to indications of criminal activity, the Department of Justice is brought in to conduct a parallel investigation to determine if charges are appropriate. Sometimes these matters take a very long time to play out. While having a hospital who just committed a HIPAA violation remain tight- lipped is nothing out of the ordinary, silence from the HHS could be a significant indication that something more is happening behind the scenes. At the very least I would expect the Jackson Health System to be issued a fine considering their offending history.

As we have seen many times before, the people inside an organization are oftentimes the greatest security threat. The Jackson Health System suffered three separate privacy breaches in a three-year span, all of which were the result of employee misconduct or negligence. Covered entities and business associates who don’t learn from their previous mistakes and don’t take workforce security seriously are bound to find themselves the subject of investigations, lawsuits, and public scrutiny. While the jury is still out as to who will ultimately be responsible for this breach and to what extent, this incident should serve as yet another reminder of how quickly things can go bad when dealing with patient privacy.