Social Media Disclosure of NFL Player's PHI (and Other Violations) Lead to $2.15 Million in HIPAA Penalties

Practical Law Legal Update w-022-5895 (Approx. 6 pages)

Social Media Disclosure of NFL Player's PHI (and Other Violations) Lead to $2.15 Million in HIPAA Penalties

by Practical Law Employee Benefits & Executive Compensation

Numerous HIPAA Violations

The enforcement action resulted from HIPAA violations by a nonprofit academic medical system (and HIPAA covered entity (CE)) that:

Operates several hospitals and medical centers throughout Florida.
Provides health care to approximately 650,000 individuals annually.

(See Practice Note, HIPAA Privacy Rule: Entities Subject to the Privacy Rule.)

NFL Player's PHI Disclosed in Media Reports and on Social Media

In October 2015, HHS opened a compliance review of the CE regarding several media reports that disclosed the PHI of a well-known NFL player who was a patient at one of the CE's hospitals. In addition, a news reporter posted a photograph on Twitter of one of the hospital's operating room screens and a paper schedule, both of which contained the NFL player's PHI. During its investigation, HHS learned that two of the CE's employees had accessed the NFL player's electronic medical record without a job-related purpose for doing so. Because of these breaches, the NFL player suffered reputational and professional harm (see Financial and Reputational Harm to NFL Player).

HIPAA's Privacy Rule requires CEs to implement policies and procedures for granting access to electronic PHI (ePHI), but the CE failed to restrict employees' access to individuals' ePHI to the minimum necessary to accomplish their job duties (see Practice Note, HIPAA Privacy Rule).

Lost Paper Records

In August 2013, according to HHS's findings of fact, the CE also sustained losses of several boxes of patient records through separate incidents in December 2012 and January 2013. However, the CE did not timely provide HHS a breach notification concerning the lost records (see Practice Note, HIPAA Breach Notification Rules). The CE's breach report only referenced one of the two incidents, and the CE did not offer an addendum to its original report addressing the other incident until nearly three years later.

Employee's Theft of NFL Player's PHI

In February 2016, the CE submitted another breach report to notify HHS that one of its employees had been selling patient information since July 2011. The employee improperly accessed over 24,000 patients' records since 2011.

Incomplete Risk Analyses

During the years that these violations were occurring and being reported, the CE hired third parties to conduct several risk analyses of their HIPAA compliance efforts (see Practice Note, HIPAA Breach Notification Rules: What Is a Breach Requiring Notification?). HHS characterized these risk assessments as incomplete, though in different ways. For example, one of the assessments failed to:

Include all ePHI created, received, maintained, or transmitted by the CE.
Fully identify the threats and vulnerabilities that existed on the CE's systems.

HIPAA Provisions Violated

In assessing civil money penalties, HHS concluded that the CE violated HIPAA's implementing regulations by failing to:

Implement policies and procedures to prevent, detect, contain and correct security violations, including by not:
- conducting accurate and thorough risk assessments of the risks and vulnerabilities to ePHI (see Practice Note, HIPAA Security Rule: Security Management Process).
- implementing security measures to reduce these risks and vulnerabilities to a reasonable level; and
- reviewing system activity (see Practice Note, HIPAA Security Rule: Administrative Safeguards).
Restrict workforce member access to ePHI to the minimum necessary to accomplish their job duties (see Practice Note, HIPAA Security Rule, Information Management Access).
Provide timely and accurate notice to HHS of the breach caused by loss of the paper records.

Factors Considered in Determining Amount of Penalties

HHS sent a notice of proposed determination to the CE in July 2019. The notice indicated a civil money penalty of more than $2.15 million, based on the specific HIPAA violations at issue. HHS weighed the following factors in determining the amount of civil money penalties imposed:

The widespread nature of the HIPAA violations involved, for example, that the CE:
- continually failed to carry out an adequate, enterprise-wide risk analysis;
- permitted an employee to abuse her access to ePHI, which went undetected for several years; and
- did not file an addendum to its original breach notification to fully report the loss of paper records.
The CE's history of HIPAA noncompliance, as reflected in the three primary HIPAA breaches addressed in this action.
The CE's financial condition (that is, though the CE is a public entity that regularly serves low-income and disadvantaged individuals, the penalty amount will not jeopardize the CE's ability to continue providing health care).
The CE's efforts to cooperate with HHS's investigation and to take some compliance steps, which include:
- implementing a HIPAA manual;
- restricting physical access to sensitive areas and workstations;
- adopting logout procedures;
- retraining certain workforce members concerning identity theft and appropriately sanctioning others (including through termination) (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials);
- hiring important compliance personnel (for example, a Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO)); and
- acquiring "activity review monitoring" software.
The CE's failure to provide written evidence of mitigating factors for HHS's consideration in determining the amount of penalties.

Financial and Reputational Harm to NFL Player

As a factor of particular interest in this enforcement action, HHS considered the nature and extent of harm because of the violations. In this regard, HHS noted that the NFL player's treatment-related PHI was disclosed by multiple media outlets, including by an ESPN reporter via Twitter. Because of the leak of the player's medical condition (which involved an injury to his hand), he sustained both financial and reputational harm. This included:

Harm to his reputation as a successful football player.
Rescission of a $60 million contract from an NFL team after the ESPN tweet.

Practical Impact

As we've seen repeatedly in recent years, HIPAA's compliance requirements do not mix well with disclosures on social media – and to the media in general (see Legal Update, Disclosure of Patients' PHI on Yelp Leads to $10,000 HIPAA Settlement: Practical Impact: Addressing Social Media in HIPAA Privacy Notices). This incident, which was widely reported in the press for its consequences to the NFL player involved, also contains some takeaways for avoiding situations like this and for handling an HHS HIPAA investigation. For example, although the CE conducted several risk analyses (completed by third parties), none of the assessments were the type of "enterprise-wide" review envisioned by HHS. Also, although the CE had purportedly adopted employee access procedures for PHI in its possession, those procedures were not followed closely enough to prevent ongoing access by individuals who lacked proper authorization. Audit logs and access reports for systems containing ePHI were not regularly reviewed. The CE also would have benefitted from updating its breach notifications in response to newly discovered incidents. The CE may have missed an opportunity to present mitigating factors, or to raise affirmative defenses to the imposition of civil money penalties (see Practice Note, HIPAA Enforcement: Penalties and Investigations: Affirmative Defenses).

Social Media Disclosure of NFL Player's PHI (and Other Violations) Lead to $2.15 Million in HIPAA Penalties | Practical Law