Health IT, Hospitals

Pierre-Paul records leak, White House meeting expose HIPAA fallacies

The Internet was abuzz Wednesday evening after ESPN pro football reporter Adam Schefter tweeted a photo of a medical record supposedly showing that New York Giants player Jason Pierre-Paul had had a finger amputated.

By Neil Versel on July 09, 2015

Does the healthcare industry still need a refresher in the HIPAA privacy rule?

The Internet was abuzz Wednesday evening after ESPN pro football reporter Adam Schefter tweeted this photo of a medical record supposedly showing that New York Giants player Jason Pierre-Paul had had a finger amputated.

Pierre-Paul reportedly injured his right hand after lighting fireworks at his Florida home on July 4. He was said to have been taken to the Broward Health North hospital in Deerfield Beach, Fla. Someone at the hospital likely leaked the record to ESPN. Unless Pierre-Paul himself gave consent, that’s a serious no-no.

“HIPAA” started trending on Twitter, and some wondered if Schefter had broken the law.

presented by

Schefter did not. As USA Today correctly reported, HIPAA does not apply to news media in such a case. However, unless Pierre-Paul consented, someone at the hospital — a “covered entity,” in HIPAA parlance — likely did violate the privacy rule.

According to SB Nation, the NFL’s collective-bargaining agreement with the players’ union includes a HIPAA waiver for records to be released to each player’s team, not to the media or the public. (SB Nation cited Healthcare IT News on that one, from a presentation the league’s CIO gave at HIMSS15.)

If it was a hospital employee who leaked the record, that person should be fired and either sued or prosecuted. And healthcare providers nationwide need to remind every employee who has access to patient records that unauthorized peeking at the health data of famous people who come in for care will not be tolerated.

Remind healthcare workers of the $865,500 fine UCLA Health System had to pay in 2011 for snooping involving Farrah Fawcett, Tom Cruise and other Hollywood types. Share the story of the 27 employees of Palisades Medical Center in North Bergen, N.J., who were suspended in 2007 for violating the privacy rights of George Clooney.

And while they’re at it, teach the healthcare industry that HIPAA explicitly gives patients the right to obtain copies of their own records. That seems to have been forgotten as well.

Hours before Schefter’s revelation about Pierre-Paul, the Get My Health Data campaign tweeted this photo from the White House Champions of Change event on precision medicine.

I found this ironic because the movement started after the Obama administration proposed lowering the requirement in Meaningful Use Stage 2 regulations that providers engage 5 percent of patients “view, download or transmit” their electronic health data down to just a single patient. I tweeted as such after I saw the photo.

I didn’t get quite the response I had hoped. Instead, health IT industry watcher Margalit Gur-Arie criticized the whole Meaningful Use engagement requirement.

To me, this exposed another twisted application of HIPAA, that hospitals and medical practices are using the law as an excuse to deny access rather than to enable it.

How did the industry get it so wrong, and what will it take to fix these serious problems?