Update of December 12: See the update/follow-up here.
Several months ago, I was contacted by a reader who asked me about the Alex Rodriguez case and whether there was a HIPAA breach. I responded, via e-mail, that I didn’t know as the clinic was no longer in operation and I didn’t have any information on them. Over the weekend, a story appeared on The Bent Corner in that says, in part:
The evidence against A-Rod is based on stolen medical records obtained from Porter Fischer, an ex-employee of Biogenesis of America, an anti-aging clinic in Coral Gables, Florida. The clinic has since closed. Reportedly, MLB paid Fischer for the records. Fischer stole the medical records from Biogenesis of America because he believed the clinic owed him some money, $4,000 to be exact.
What’s worse, using PEDs or stealing someone’s medical records?
Biogenesis of America was owned and operated by Tony Bosch, a man who at least pretended to be a medical doctor. It would stand to reason that anyone partaking of the ant-aging services of Biogenesis of America, whether they be a retired postal worker or a guy playing third base for the New York Yankees, had the expectation that what they were doing was confidential and protected by doctor-patient privilege.
As I noted in my discussion of a case involving blood donors, not all entities are HIPAA-covered entities, even if they employ doctors or have a medical component. Was Biogenesis of America ever a HIPAA-covered entity? I don’t know. They listed a medical doctor as their medical director in their Florida business incorporation papers, but again, that doesn’t make them a HIPAA-covered entity. So that’s one question: was there a reportable privacy breach under HIPAA or not?
As a second question: can Major League Baseball purchase records stolen from a clinic and use them against a player? I don’t think they should be able to do so, but I don’t know if that’s really what they did, and besides, I am not a lawyer and do not know what the law says about such conduct.
But the public perception is what I want to address. The fact that the public may have an expectation of privacy when there may be no HIPAA protection or state law protection is problematic and needs to be addressed. Whether it’s an anti-aging clinic, a weight loss clinic, or anything other than a medical practice that hands you a copy of their HIPAA policies and/or privacy practices, ask whether they are HIPAA-covered and ask for a copy of their privacy policies.
Update: The case is even more confusing, as some sources say it was not MLB but Rodriguez himself who purchased his clinic records, presumably to destroy them. I have no idea whether either story is accurate.