The following blog post was written by Al Tripodi, Quality Auditor Associate at RMS.

HIPAA Privacy and Security Compliance is paramount to health care organizations, as well as any vendors or associates which have access to Protected Health Information (PHI). Violation of HIPAA can lead to termination of employment, large financial fines, and even jail time. The following is a story that reflects on a recent HIPAA compliance issue featured in the news.

One Florida-based hospital may be in some serious HIPAA hot water after an employee reportedly leaked an NFL player’s confidential medical record to the press. An employee at Jackson Memorial Hospital allegedly leaked the medical record of Jason Pierre-Paul, the defensive lineman for the New York Giants, to an ESPN reporter and analyst, Adam Schefter, who then posted a portion of the player’s medical record online at Twitter. The medical record confirmed that Pierre-Paul had his right finger amputated at the hospital, reportedly attributed to a July 4th fireworks mishap.

ESPN is not considered a covered entity or business associate under HIPAA, but Jackson Memorial Hospital is indeed “bound by the law” and thus liable for HIPAA privacy and security violations.

“The hospital, its employees and staff, and other covered entities and business associates have the obligation not to release PHI without the patient’s consent,” said David Harlow, principal at healthcare law and consulting firm The Harlow Group, in an emailed statement. “A journalist doesn’t have that obligation, nor does his network.”

Now it becomes a question of how the ESPN reporter got a hold of Pierre-Paul’s medical record in the first place. “The hospital staffer who likely provided it is the one who has violated HIPAA,” Harlow explained. And if that individual is indeed an employee of the hospital, Jackson Memorial could be in some big trouble too. HIPAA violation fines can reach $50,000 per violation, with a $1.5 million annual maximum.

The hospital launched an “aggressive internal investigation looking into these allegations,” said Carlos A. Migoya, president and CEO of Jackson Health System, in a statement. “If we confirm that Jackson employees or physicians violated a patient’s legal right to privacy, they will be held accountable, up to and including possible termination. We do not tolerate violations of this kind.”

If an investigation confirms that a hospital employee did provide this medical record to the press without Pierre-Paul’s consent, this would be a violation of HIPAA. And it wouldn’t be the health system’s first HIPAA breach. In fact, over the last four years, Jackson Health System has reported three large HIPAA breaches, according to data from the U.S. Department of Health and Human Services.

RMS Healthcare, a division of RMS in Baldwinsville, NY can provide HIPAA training for your organization to heighten awareness and to ensure you have the processes in place to mitigate risk.  We can assist your organization in developing and implementing policies and procedures that align with the Omnibus rulings. We can provide you and your health care organization all the HIPAA policies, procedures, and forms needed. If you would like to learn more about HIPAA Privacy and Security Compliance or further discuss how RMS Healthcare can help you, contact our Senior Director, Healthcare Operations and Compliance Susan Maxsween at or by calling (315) 635-9802.

Here are links to additional information if you would like to read more: