Last night, ESPN reporter Adam Schefter tweeted a photo of New York Giants defensive end Jason Pierre-Paul’s medical chart, which chart indicated that Pierre Paul had his index finger amputated. The amputation was apparently the result of a fireworks accident on the Fourth of July. Prior to the Schefter’s report of the amputation, the injury was already a major offseason story for the NFL, as Pierre-Paul is a pro-bowler, and initial reports indicated that the New York Giants withdrew an outstanding $60 million contract offer as a result of the Fourth of July injury.
Football aside, the Pierre-Paul story is yet another example of a celebrity patient’s medical information being disclosed to the media. Right now, the internet is ablaze with news stories and comments suggesting that Adam Schefter and/or ESPN violated HIPAA by posting a copy of Pierre-Paul’s medical chart. Despite the public outcry, this view highlights a fundamental misunderstanding of HIPAA and its prohibitions. Adam Schefter and/or ESPN are not the ones that should be concerned about a HIPAA violation – the hospital and its employee(s) that leaked Pierre-Paul’s medical chart, however, should be.
At its most basic level, HIPAA provides certain federal protections for protected health information (“PHI”) held by covered entities and their business associates. The definition of a “covered entity” includes health care providers, health plans, and health care clearinghouses. See 45 C.F.R. 160.103. A “business associate,” in turn, is generally defined to include a person or entity that creates, receives, maintains or transmits PHI on behalf of a covered entity. Id.
Clearly, neither ESPN nor Adam Schefter constitutes a covered entity or business associate. Absent evidence of a conspiracy with hospital employees to obtain the documents in violation of HIPAA, ESPN and Adam Schefter should be in the clear with respect to HIPAA. On the other hand, unless Pierre-Paul appropriately authorized the disclosure of his medical chart, the hospital and its employee(s) that leaked the medical chart to Adam Schefter could face significant civil and/or criminal penalties in connection with a HIPAA violation.
It is also important to note that although HIPAA does not authorize a private right of action (meaning that only the Department of Health and Human Services Office of Civil Rights or State Attorneys General can enforce HIPAA), private individuals have had some success with lawsuits alleging state law privacy violations that utilize HIPAA to establish the standard of care.
For additional information regarding HIPAA, please contact Dan O’Brien, Cliff Mull, or any other member of Benesch’s Health Care Department.