Does reporting patient information constitute a HIPAA violation?
Did ESPN cause a HIPAA violation? Was it a HIPAA violation when it reported Jason Pierre-Paul’s medical record on Twitter? The short answer is no. ESPN is not a healthcare provider, or a covered entity. Even if a reporter for ESPN went into the hospital and took a picture of a computer screen with Jason Pierre-Paul’s chart showing, it would not be a HIPAA violation. Sounds wrong doesn’t it? It’s not. As a covered entity, or Business Associate, it is your responsibility to make it so ESPN cannot come in a take a picture of the screen. The idea of protecting ePHI, is making it so that it can’t be stolen, or viewed by people not affiliated with the hospital or business. If a reporter goes into a hospital or medical practice, they should not be able to look at computer screens, walk through clinics, steal PC or laptops, or access a patients chart in any way. That’s what HIPAA policies and procedures are all about. With that said, ESPN itself, did not cause a HIPAA violation.
The records were revealed. Isn’t this a HIPAA violation? YES. It is definitely a HIPAA violation. In the case of Jason Pierre-Paul, the HIPAA violation was caused by a hospital employee leaking the information. This is one of the most serious violations, and the hospital could be fined as much a 1.5 million dollars. The is blatant willful neglect and the employee will be held accountable, including termination. ESPN itself is not considered a covered entity or business associate, so they are not governed by the HIPAA laws. The hospital employee should have been trained, and made aware of the consequences of revealing a patients ePHI, and what would happen if they did it. If the employee signed off on this type of training and gave the personal information to the reporter anyway, I would suspect termination, and a revised training program for employees.
So who gave ESPN the records? I’m sure the hospital will launch a thorough investigation into this. I can imagine a few different scenarios, but we will have to wait for the final analysis. This is one of the main reasons the HIPAA laws require unique ID’s for all employees accessing a patients chart. This is the reason you want automatic log offs, and password sharing. What if this person sat at someone else’s workstation or logged in under someone else’s EHR ID? There are many HIPAA policies in place to make sure you can trace the responsible party.
I can’t wait to see how this one plays out.
HIPAA Consultant for Tier3MD