HRCAlerts071515_Miami

Following the publication of media reports showing a photo of the medical records of a National Football League (NFL) player who underwent a finger amputation, the Miami hospital where he was treated says it is conducting an "aggressive internal investigation" into allegations that the records may have been released by an employee. A photo of New York Giants' defensive end Jason Pierre-Paul's medical record containing information about an index finger resection was published by ESPN on July 8, 2015, after Pierre-Paul reportedly sought treatment at the Miami hospital following a Fourth of July fireworks accident. The same day, the hospital, which has not identified the patient, tweeted that "it takes patient privacy very seriously and aggressively investigates any alleged violation." The next day, the hospital issued a statement from its president and chief executive officer saying an investigation was under way. The U.S. Department of Health and Human Services' Office for Civil Rights, which investigates privacy violations of the Health Insurance Portability and Accountability Act (HIPAA), told the Wall Street Journal that it could open an investigation based on media reports but declined to confirm whether it has begun an investigation, according to a July 9 report in the newspaper. Although ESPN has said that HIPAA privacy rules do not apply to news organizations, the media outlet has been under fire for "a gross transgression of privacy," according to one legal expert quoted in the Wall Street Journal article. Florida's attorney general's office confirmed in the article that it is also gathering information about the incident.

HRC Recommends: The HIPAA privacy rule training requirement requires all employees, including medical and other ancillary staff, volunteers, and students—as well as others deemed by the covered entity to be members of its workforce for purposes of compliance with the rule—to receive training consistent with their workplace role and job functions. The workforce should be trained, retrained, and monitored for compliance, and training materials should be updated to reflect changes to the notice of privacy practices. Training should also cover potential privacy rule violations that could occur. HHS, with concurrence of the U.S. Department of Justice, is empowered to impose civil monetary penalties that can amount to $50,000 or more per violation and up to a total of $1,500,000 in a single calendar year for repeated violations of a provision of the HIPAA privacy and security rules. State attorneys general are also authorized to initiate civil proceedings for injunctive relief.

Topics and Metadata

Topics

Health Information Privacy; Laws, Regulations, Standards

Caresetting

Ambulatory Care Center; Ambulatory Surgery Center; Assisted-living Facility; Behavioral Health Facility; Dialysis Facility; Emergency Department; Endoscopy Facility; Home Care; Hospice; Hospital Inpatient; Hospital Outpatient; Imaging Center; Independent Living Facility; Physician Practice; Rehabilitation Facility; Short-stay Facility; Skilled-nursing Facility; Substance Abuse Treatment Facility; Trauma Center

Clinical Specialty

Roles

Corporate Compliance Officer; Healthcare Executive; Legal Affairs; Regulator/Policy Maker; Risk Manager

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published July 15, 2015

Who Should Read This

Administration, Corporate compliance, HIPAA privacy officer, HIPAA security officer, Health information management, Human resources, Information technology, Legal counsel, Staff education

Areas of Focus

Featured Memberships & Services

Miami Hospital in the Spotlight following Privacy Breach of NFL Player’s Medical Records