New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4. A screenshot of a page from his hospital records was tweeted by ESPN reporter Adam Schefter on July 8, resulting in a flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws. In an article by published today by LXBN, the Lexblog Network, our partners and frequent blog contributors Michael Kline and Elizabeth Litten are quoted extensively about the implications of the publication of these records by a media outlet, the health privacy rights of public figures and the effect, if any, of the NFL’s collective bargaining agreement on such disclosures. The article is here: Did That ESPN Reporter’s Tweet Violate HIPAA?
A critical question is how the ESPN reporter obtained the records, from whom and under what circumstances. Although HIPAA does not directly regulate parties other than Covered Entities and their Business Associates, the law provides for criminal penalties for unauthorized use or disclosure of individually identifiable health information with the intent to sell, transfer, or use such information for commercial advantage, personal gain or malicious harm, including fines of up to $250,000, and imprisonment for up to ten years. The Department of Justice has stated that “the liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”
Illicitly obtained medical records should be contrasted with health information that is released voluntarily by the individual patient. For instance, in the Ebola infection incidents of October 2014, it appears that some information reported in the media may have been voluntarily disclosed by the affected individuals or their families. Nevertheless, famous individuals, whether their fame arises out of their health condition or because of their prominence as athletes, entertainers or politicians, have the same health privacy rights as others and those rights should be safeguarded by covered entities and their business associates.