Last week, two potential coronavirus-related HIPAA violations may have occurred. After testing positive for the coronavirus, both the Dallas Cowboys’ running back Ezekiel Elliott and St. Martinsville, Louisiana Mayor Melinda Mitchell had their results shared by the press. Both questioned how news organizations gained information and raised inquiries about potential HIPAA violations. In fact, the first thing Elliott tweeted when he saw the news release was ‘HIPAA ??” The Health Insurance Portability and Accountability Act (or HIPAA) functions as a safeguard for a patient’s protected health information (PHI). In both these cases, publicly sharing that Elliott and Mitchell tested positive for the coronavirus.
First, to be a HIPAA violation, the information has to come from a covered entity (CE). The three categories of CEs are health plans, health clearinghouses, and certain healthcare providers. HIPAA covers a doctor or nurse, but not an employer/employee or the media. So while sportswriter Ian Rapoport reported Elliott’s results first, he is not liable under HIPAA. And while confirmation came from Elliott’s agent Rocky Arceneaux, he is also not liable. In Mitchell’s case, reportedly no one on her team confirmed her results, which is why she asked where the information came from. And second, to be a HIPAA violation, the patient must not have given consent. Finally, while the government relaxed certain HIPAA rules during the pandemic, the privacy rule still does not allow media access without express patient authorization. It does allow access to general statistical information as long as the data lacks direct indicators like a patient’s name or occupation. In other words, a CE must still be HIPAA compliant during a health crisis and must still implement reasonable PHI safeguards.
If an investigation into either case reveals a HIPAA violation, disciplinary action could result against the CE at fault. In 2019, for example, Northwestern Memorial Hospital in Chicago fired employees for accessing the actor Jussie Smollett’s PHI. Unfortunately, medical record snooping, especially for high-profile individuals, is nothing new. While there is no new information on Elliott’s or Mitchell’s case, the outcome could potentially mark a new chapter for HIPAA-related questions. Especially during a health crisis.