HIPAA Explainer Series: HIPAA Compliance Q&A (Part 4)

Well, hello! Welcome back to our HIPAA Q&A series, where you can get answers to all of your HIPAA questions. Our goal is to simplify HIPAA for your organization and make it painless to get the information you need to protect your patients' privacy and meet compliance regulations.

This series evolved from questions we received in a recent webinar of ours, HIPAA Compliance Essentials, Simplified.

If you’re new to the series, you might want to visit Part 1, Part 2, and Part 3. If you’re already up to speed, let’s dive right in.

On July 8, 2015, ESPN reporter Adam Schefter tweeted that NFL New York Giants player, Jason Pierre-Paul, had his right index finger amputated at Jackson Memorial Hospital in Miami because of a 4th of July fireworks accident. Schefter also posted a picture of Pierre-Paul’s medical records: evidence of a significant violation of HIPAA. 

This incident raised important questions regarding HIPAA Privacy and the rights of patients, especially VIP patients. The events that led to the Jason Pierre-Paul HIPAA breach are worth exploring, as they give us insight into potential weak areas and help us learn how to better protect patience and our organizations from future HIPAA violations.

I'll go ahead and answer a few pertinent questions regarding the incident.

Q1:  Is Adam Schefter, the reporter, guilty of a HIPAA violation?

Probably not although it’s hard to be 100% sure without access to all of the facts. Generally, the HIPAA rules only apply to entities such as hospitals, healthcare providers, health plans and their employees and contractors. However, if Schefter conspired with a hospital employee to obtain the medical records he could be found liable under the update in 2009 that added “other individuals” to the list of potential violators. See Attorney Jon Tomes' comments here.

Q2:  Perhaps nobody was guilty of a HIPAA violation in the posting of Pierre-Paul’s medical record information or Protected Health Information (PHI)?

It’s extremely unlikely that nobody was at fault here. If Pierre Paul took the photographs and released the information himself, it would not be a HIPAA violation. Or if Pierre-Paul signed a written authorization approving the release and Jackson Memorial released the information consistent with its policies, then it would not be a HIPAA violation. Considering how media sources apparently close to Pierre-Paul reported the incident, and the fact that the hospital launched an “aggressive internal investigation” both scenarios seem extremely unlikely.

Q3:  Assuming this is a HIPAA violation, who is liable?

Jackson Memorial and the employee who released the information.

Q4:  What scenarios would limit the liability of Jackson Memorial?

Jackson Memorial would have limited liability if (all of the following applied):

  • Jackson Memorial had good, clear policies consistent with the regulations regarding employee’s duties to protect PHI.
  • If they had documented evidence that the employee had received training regarding the policy and staff members' duties to protect PHI.
  • The employee had signed a HIPAA confidentiality agreement, it might mitigate the hospital's liability.

Q5:  What should Jackson Memorial do if it discovers the source of the breach?

HIPAA requires entities to have “sanction policies” in place so, assuming Jackson Memorial does, it should follow those policies. Good sanction policies are progressive and allow for a range of actions based on the severity of the infraction. At a minimum, the employee should be terminated. Involvement of law enforcement should also be considered.

Q6:  What if the photograph was taken by a non-employee such as by another patient or a sneaky private detective?

It likely wouldn’t shield Jackson Memorial very much because HIPAA requires entities to have procedures in place to prevent this kind of snooping.

Q7:  What could Jackson Memorial have done to prevent this breach from occurring?

It is exceedingly difficult to protect against a malicious, willful actor. That being said, there is a lot organizations can do to prevent violations. The first orders of business are policy and training. Entities should make sure that procedures limit access to information to those that really need it and protect against snoops and rogue employees. Workstations should be properly positioned. Paper should be turned face down when not being processed or used. Entities need to constantly remind employees of their responsibilities to safeguard patients PHI. Policies should be in place regarding the use of mobile phones and other portable devices that governs appropriate use and prohibits the recording of sensitive information.

Q8:  Can you think of a technical safeguard that might have prevented this scenario? 

Yes, but it is one that has some serious trade-offs and may not have worked anyway. There are mobile device management (MDM) solutions that have a feature called ”Geofencing” that can disable certain applications of registered mobile devices based on geographic location. So mobile phones could be configured through the MDM so that the camera is disabled when in the boundaries of the hospital.  But this capability would only apply to phones managed through the MDM (which doesn’t apply to most personally owned devices in a typical hospital setting). In addition, having a camera can be a useful feature to have in the hospital setting. And lastly, many employees react very badly to overly restrictive MDM policies, especially for personally owned devices.

UPDATE: Responding to the controversy over his tweet, Adam Schefter said in an interview that "All I will say [about how I got those images] is I never once requested a single image from anyone at any time; the images came to me."

Stay tuned for Part 5 of our HIPAA Q&A Series. Go ahead and ask your HIPAA-related questions below in our comments form.

If you would like to view the on-demand webinar recording from which these questions arose, you can do so by clicking the button below:

Watch the Webinar On-Demand >>

Questions or Comments?