Co-written by Matt Hoover and Matt Leyva
On Wednesday evening, ESPN reporter Adam Schefter tweeted an image of an NFL athlete’s personal medical records that set the twittersphere ablaze and had #HIPAA trending throughout the nation. This setup an interesting Thursday morning for us here at Galen, where three of our biggest passions, Healthcare IT, patient advocacy, and professional sports, collided (well, four if you count fireworks safety – seriously, ask your favorite Galeneer about that). The reactions ranged from disbelief to disdain, but predominantly disappointment. These types of events erode the inherent trust in a patient-provider relationship that we collectively work to cultivate as an industry. As trust is lost, patients may start intentionally withholding pertinent information from their providers which could be critical to ensuring that proper care is delivered at the appropriate time.
Initially, Schefter was inundated with backlash for this blatant HIPAA violation. Was his decision to tweet the image morally justifiable? We all have our opinions, but let’s not get into that right now. Was Schefter in the wrong? From a HIPAA standpoint, both he and ESPN are non-covered entities that fall beyond the bounds of HIPAA regulations, and his actions are legally defensible by the First Amendment freedom of speech clause. The primary offender, assuming this patient did not provide consent to share his medical records, are the parties belonging to the covered entity who initially leaked the information. As with similar cases, this flagrant disregard for HIPAA laws will almost certainly warrant punishment – up to $50,000 in civil penalties and up to $250,000 with a maximum of 10 years imprisonment for criminal penalties.
Situations like this will make patients think twice before sharing information due to fear it may not remain private. It is counterproductive to the efforts so many in the HIT community are pushing to accomplish, especially as we strive towards increasingly connected systems and improved interoperability with applications such as Health Information Exchanges (HIE). Whether the victim is a Grammy-winning superstar, an Oscar-lauded actor, an all-star athlete, or an average Joe, this isn’t the first instance of unauthorized individuals accessing and/or disclosing ePHI. It’s probably not the last either, but if there is a silver lining takeaway, maybe it’s that this incident raises awareness and precipitates a change in behavior relating to HIPAA, both in the HIT arena and the media.
For any additional questions about HIPAA or the guidelines that Galen and the HIT industry follow, feel free to contact us at firstname.lastname@example.org.