Professional Football Player’s Medical Records Released Without Authorization

In recent weeks the most widely covered Health Information Technology (HIT) case involved an offseason injury to an athlete, where a news source publicly released Protected Health Information (PHI). Healthcare practices and employees are required to keep medical information confidential, unless there is a formal request to make it available to a designated party by the patient or regulating authorities. If the player did not authorize this release of his information, HIPAA Privacy law was violated.

A hospital or covered entity accepts responsibility for patient privacy and pays financial penalties for all breach incidents. Employees receive training to uphold privacy requirements and face dismissal from their jobs for incidents of negligence. Criminal prosecution would apply in this case if deemed as an intentional act by a staff member to illegally transfer this information. For those who re-shared the image in question, for instance on social media, technically they are under no obligation if the violation has already taken place.

Information about health status, provision of healthcare, or payment for healthcare that contains identification of an individual qualifies as PHI. This information can only be shared without prior approval if all personal identifiers have been removed, using a process of de-identification:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

NFL Image - REVISED

In the above image identifiers are marked out; information in this form may be used for medical research or education. However for high-profile incidents, such as recently reported on the news, some one could still figure out whose report they are looking at. There are grey areas in the law, as there may be ways to narrow down an individual’s identity even with identifiers removed. Generally no one should disclose information of this nature, de-identified or otherwise, unless given specific instruction and permission to do so.

Anybody with reason to believe such an incident has affected them should file a complaint with the Health & Human Services (HHS), Office for Civil Rights (OCR), within 180 days, following the instructions here:

http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

On a side note, the NFL as an employer requires personnel to disclose pertinent health records for injury reports, so the public is able to find out health history of players more readily than workers in most professions.

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Subscribe for Updates

Upcoming Events

  1. Managing the Risks of a Healthcare Data Breach

    April 6 @ 12:00 pm - 1:30 pm