HIPAA has made an unlikely appearance twice already this month in news reports involving famous athletes.
Between the Pierre-Paul medical record tweet by ESPN reporter Adam Schefter earlier this month (discussed by my partner and fellow blogger Bill Maruca here) and the ticker-tape parade featuring confetti made of shredded (but apparently legible) medical information raining down on U.S. Women’s soccer team in New York City (reported by WFMY news here), it seems HIPAA breaches and athletes have had an uncanny affinity for one another this summer, particularly in New York City.
Setting the attenuated coincidence of these events aside, the Pierre-Paul incident provides an opportunity to review when medical information that relates to one’s employment is protected under HIPAA and when it isn’t.
In 2002, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, considered a comment to a proposed HIPAA regulation suggesting that “health information related to professional athletes should qualify as an employment record,” and, thus, not be considered protected health information under HIPAA. HHS was quite clear in responding that a professional athlete has the same HIPAA rights as any other individual:
If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees. No class of individuals should be singled out for reduced privacy.
HHS refused to provide a definition of “employment record”, fearing that it might “lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which” the information was obtained.
HHS went on to explain how and when protected health information might become “employment record” information:
For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee’s authorization, the test results are provided to the … employer and placed in the employee’s employment record.
HHS further clarified that:
… medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by … an employer.
Going back to Pierre-Paul, the mere fact that his injury could affect his ability to perform as a professional athlete did not automatically turn the protected health information related to the injury (the medical record created by the hospital) into “employment records” exempt from HIPAA protection. It isn’t unless and until protected health information is disclosed to the employer pursuant to the individual’s authorization that it becomes an “employment record” no longer subject to HIPAA. Even if an individual’s disclosure of medical records is a condition of employment (apparently not the case in Pierre-Paul’s situation), it is the individual’s authorization that allows its disclosure, not the category or class of the individual.