A Miami hospital has announced it will investigate the possible leak of a National Football League player's medical record after it was tweeted out by an ESPN anchor.
NFL Insider Adam Schefter tweeted late Wednesday a photo of what appeared to be part of New York Giants defensive end Jason Pierre-Paul's medical record, which noted that he had his right index finger amputated. It was reported that he had been injured in a fireworks accident over the July 4 weekend.
The record did not say where the procedure was performed, though some media outlets alleged that the record had been leaked by an employee of Miami-based Jackson Health System after the procedure was performed at Jackson Memorial Hospital. The health system tweeted an open letter from President and CEO Carlos Migoya on Thursday stating that Jackson Health has initiated an “aggressive internal investigation” into the allegations.
“If we confirm Jackson employees or physicians violated a patient's legal right to privacy, they will be held accountable, up to and including possible termination,” Migoya said. “We do not tolerate violations of this kind.”
The apparently unauthorized disclosure of protected health information would constitute a violation of the Health Insurance Portability and Accountability Act, a federal patient privacy law to which the system and its employees are subject. If Pierre-Paul files a complaint with the HHS Office for Civil Rights, and HHS finds Jackson Health System responsible for the leak, it could face fines, said Michael Bossenbroek, an attorney with Wachler & Associates.
Bossenbroek said the fines could range from $100 to $50,000 per disclosure in cases where the system mistakenly or unwittingly disclosed information, while cases of willful neglect are more likely to be face fines between $10,000 and $50,000 per disclosure.
There could also be violations of state law, he said. HIPAA doesn't directly provide Pierre-Paul with a private course of legal action, though a resourceful lawyer could find a way to sue the hospital if it is directly implicated in the leak.
There's no fool-proof way to prevent a HIPAA violation, Bossenbroek said, but hospitals need to make sure they're limiting employee access to medical records and making privacy rules clear.
“I think the best thing that a covered entity can do is to have good policies and procedures in place and train your employees so that they're aware of the risk and liabilities of properly handling patient populations,” he said.