Jason Pierre-Paul is a 6’5”, 278 pound defensive end who plays football for the New York Giants. He can run a 4.78 second 40 yard dash. For non-football fans, just know that the guy is huge, fast, and dominant at his position.
About a year ago, on the Fourth of July, a fireworks accident caused severe damage to his hand. Being a defensive end, his hands are critical to grabbing and pulling opposing players. A few days after the accident, ESPN’s Adam Schefter tweeted a picture of Jason Pierre-Paul’s medical charts showing that he had his right index finger amputated after the fireworks injury. That tweet has been re-tweeted over 7,600 times.
Jason Pierre-Paul has since filed an invasion of privacy lawsuit against ESPN and Adam Schefter (http://www.si.com/nfl/2016/08/25/jason-pierre-paul-hand-photo-suing-espn-adam-schefter).
Michael McCann’s Sports Illustrated article correctly points out that Jason Pierre-Paul’s lawsuit is not based on HIPAA (The Health Insurance Portability and Accountability Act of 1996). The article says, “…while Schefter could not have violated HIPAA, the person or persons who shared Pierre-Paul’s chart were presumably healthcare providers and thus would have violated HIPAA.”
Generally speaking, HIPAA applies to a “covered entity” or “business associate” that uses or discloses Protected Health Information (“PHI”).
A “covered entity” is a healthcare provider—including dentists; a health plan (e.g. health insurance); or a healthcare clearinghouse (as defined in 45 C.F.R. Section 160.103).
A “business associate” is one that assists a covered entity in carrying out their healthcare functions.
And PHI is “any information, including genetic information, whether oral or recorded in any form or medium that: (1) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and (2) [r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.”
What should you do in your office?
Once you have PHI, you have an obligation to protect it. Obtaining PHI is as simple as a patient telling you about an issue, whether that conversation is written down or not. Because PHI is so easy to get, how do you protect it? The following are a few Do’s and Don’ts for PHI:
1) Don’t tweet a picture of any patient’s chart. If you are not invading their privacy, as a dentist, you are at least violating HIPAA with each tweet.
2) Do obtain a Patient Authorization or Court Order before releasing PHI. Patient Authorization forms have certain requirements—including an expiration date and a specific list of people who can receive that patient’s PHI—that your attorney should be able to help you with. But if the person asking for a patient’s PHI is not listed on that patient’s Patient Authorization form, either have the patient directly give the requesting party the PHI or wait until the requesting party obtains a court order requiring you to release the information. And, beware, Patient Authorization forms for minors are only valid if signed by a parent or legal guardian.
3) Do enter into business associate agreements (“BAA”) with your business associates. A BAA is a contract in which any entity that assists you in carrying out your healthcare functions agrees to abide by HIPAA in carrying out their own duties in handling your PHI. Who needs a BAA, however, is not as clear. While your technology management company certainly needs a BAA, what about your patient scheduling company? Your accountant? Your cleaning crew?
4) Do encrypt your data. This includes not only emails containing PHI, but also your computers, servers, data backups, and any other item that contains PHI.
5) Do train your office on HIPAA compliance and document that training. While simply training your staff on HIPAA will not shield you from liability under HIPAA, that training will help your case if you’re accused of violating HIPAA.
Depending on the HIPAA violation, each violation could carry a $50,000.00 penalty, up to $1,500,000.00 per year. That's 1,500,000 reasons to protect PHI.