More on a privacy breach previously noted on this blog.
Henry McKenna reports:
The hospital treating Giants defensive end Jason Pierre-Paul has begun searching for the cause of a data breach, which allowed ESPN reporter Adam Schefter to share Pierre-Paul’s medical records on Twitter on Wednesday. The documents showed Pierre-Paul was scheduled for a right index finger amputation after a fireworks accident on the Fourth of July.
“Late Wednesday, media reports surfaced purportedly showing a Jackson Memorial Hospital patient’s protected health information, suggesting it was leaked by an employee,” Jackson Health System CEO Carlos Migoya told WPTZ.com. “An aggressive internal investigation looking into these allegations is underway. If these allegations prove to be true, I know the entire Jackson family will share my anguish.
Read more on Boston.com.
I’ve read a lot of stupid comments about the matter on Twitter. You can eliminate a lot of them if you just ignore any tweet that screams about “HIPPA” violation. If they don’t know it’s “HIPAA” and not “HIPPA,” there’s a good chance they don’t know much about what the law says, either.
But let’s make a few things clear:
The media is not bound by HIPAA. If they get something, they can generally use it – unless they participated in a crime to get it. If an employee just gave the medical record to the reporter without the reporter telling the employee how to breach HIPAA or facilitating any breach of HIPAA, then there’s nothing – other than poor taste and their own ethical standards for journalism – that stops the paper from using it.
Can Pierre-Paul sue the paper and/or the hospital for a HIPAA breach? Probably not successfully. HIPAA does not provide for a private cause of action, although Florida law does provide other protections that may justify a lawsuit. And the paper would argue that this was newsworthy and protected by the First Amendment. My best guess is that the hospital will settle with Pierre-Paul to make this all go away, and they’ll hope that HHS will be somewhat forgiving, even though this isn’t the hospital’s first insider breach.
Did the employee breach HIPAA? At this point, and in light of other media reports that indicate that Pierre-Paul did not give consent to release that record and did not, himself, provide it to the media, then yes, it sounds like there has been a HIPAA breach. And I trust the hospital really is investigating this intensively right now and will likely fire the employee.
I could be wrong, of course. 🙂