Jason Pierre-Paul Finger Amputation Disclosure Violates HIPAA Rules
to a news report on ESPN. Surgeons treated the football player after the accident, but were unable to save his right index finger.
A tragedy such as this would naturally make then news; however, it is making headlines for another reason. Information about Pierre-Paul’s medical condition appears to have been leaked to the media from a source within the hospital; breaching the Health Insurance Portability and Accountability Act (HIPAA) and violating Pierre-Paul’s right to privacy.
The circumstances surrounding the disclosure strongly suggest there was no prior consent obtained from Pierre-Paul before the information was disclosed; even the New York Giants were unaware their defensive end had a digit removed until they heard the report on ESPN.
ESPN Reports on Pierre-Paul’s Medical Status
The news broke on Sunday after a healthcare worker at the hospital disclosed the news about the celebrity patient to a friend; violating Pierre-Paul’s privacy and breaching HIPAA Rules.
That friend then posted the information online via his Twitter account, and from there rumors started spreading. ESPN picked up the story and obtained confirmation of its authenticity via a source. An image of the patient’s medical chart was then posted on Twitter by ESPN’s Adam Schefter. Personality Identifiable Information (PII) and Protected Health Information (PHI) can be clearly seen in the image.
The story was then picked up the media and questions started to be asked about HIPAA Rules and whether ESPN breached the HIPAA Privacy Rule by publishing PHI and PII of a patient, apparently without consent first being obtained.
The information viewable in the image file includes the patient’s name and age, date of the operation, private medical comments and name of the treating physician.
HIPAA Violation could result in $50,000 fine or more
Sports Broadcasters are not covered by HIPAA Rules so a HIPAA fine could not be issued. Posting an image containing both Protected Health Information and Personally Identifiable Information was ill-advised and inappropriate; but it is the apparent disclosure by hospital staff member(s) that is likely to see a penalty issued; should that be deemed necessary by state and federal officials.
The initial disclosure of information about the patient is a violation of HIPAA Rules, and this carries a penalty of $50,000 under HIPAA/HITECH Rules. The individual responsible for the breach could also face criminal charges for the privacy violation.
The Office for Civil Rights investigates all potential HIPAA violations involving over 500 individuals, and a number of smaller data breaches. State Attorneys General can also fine companies and individuals for violations of privacy.
Image source: Mike Morbeck, CC BY-SA 2.0, Wikimedia Commons