Potential HIPAA violation could land hospital in hot water

A Florida hospital could be in hot water for a potential high-profile HIPAA violation.

On Wednesday evening, ESPN NFL reporter Adam Schefter tweeted a picture of a medical record allegedly obtained from Miami-based Jackson Health System for New York Giants defensive end Jason Pierre-Paul, who reportedly had his right index finger amputated following a mishap with fireworks. Some reports indicated that Pierre-Paul had been treated at Broward Health North hospital in Deerfield Beach, Florida, but a hospital representative with Broward told FierceHealthIT that Pierre-Paul had not been treated at that facility.

As USA Today, NJ.com and Forbes have noted, while ESPN and Schefter broke no laws, the hospital clearly erred in leaking the record, unless Pierre-Paul himself, or someone in his camp, gave consent for the record to be shared; reportedly Pierre-Paul did not give consent, according to Bleacher Report.

A statement emailed to FierceHealthIT by Jackson Health notes that "an aggressive internal investigation looking into the allegations" is underway.

"Late Wednesday, media reports surfaced purportedly showing a Jackson Memorial Hospital patient's protected health information, suggesting it was leaked by an employee. ... If these allegations prove to be true, I know the entire Jackson family will share my anguish," Jackson Health President and CEO Carlos A. Migoya said in the statement. "Our nurses, doctors and other healthcare professionals are passionate about our patients' health and well-being, and that includes the right to privacy. If we confirm Jackson employees or physicians violated a patient's legal right to privacy, they will be held accountable, up to and including possible termination. We do not tolerate violations of this kind."

Migoya added that Jackson enforces "strict rules for those who handle patient information" and continues to educate all employees on privacy regulations.

"Those rules are constantly evolving as technology changes, but always remain focused on putting our patients first," he said.

If a Jackson employee is found at fault, this would not be the first time a hospital was punished under HIPAA for snooping on or sharing a celebrity's medical record information. In 2012, a federal appeals court upheld the conviction of a former employee of the UCLA Healthcare System for accessing the hospital's electronic health record without authorization. The employee, former researcher Huping Zhou, accessed at least 323 patient records--including those of actors Arnold Schwarzeneggar and Tom Hanks--during a three-week period in 2003 after being informed that he was being dismissed for performance reasons. Zhou pled guilty in 2010 for violating HIPAA and was sentenced to four months in prison and fined $2,000.

A year earlier, in 2011, UCLA agreed to pay a fine of $865,000 and to develop a correction action plan to settle potential HIPAA privacy violations involving improper disclosure of medical records at three of its hospitals. The hospital had disclosed in April 2008 that it had discovered that several employees had snooped into the patient records of dozens of celebrities, including Britney Spears, Tom Cruise and Maria Shriver.

To learn more:
- here's Schefter's tweet
- here's the Bleacher Report article
- check out the USA Today article
- read the NJ.com post
- here's the Forbes article