Last week, we wrote about the FTC’s splash into the healthcare breach waters. Now, ESPN wades in by learning from a U.S. District Court in Florida on August 25, 2016 that one needn’t be a healthcare provider or health plan to be stung by healthcare privacy laws.
Jason Pierre-Paul, a defense end for the New York Giants, brought suit in United States District Court in Florida against ESPN and Adam Schefter, the reporter who tweeted a photograph of the medical records to his Twitter followers, contending that tweeting of the records and ESPN’s release of the information that indicated Pierre-Paul had severely injured his right index finger in a fireworks accident (he went on to have the finger amputated), violated Pierre-Paul’s privacy rights. ESPN moved to dismiss the action, arguing the Florida statute under which he sued applied only to health practitioners and plans and that ESPN had a First Amendment interest in right to disclosure of these records because they were in the public interest.
District Court Judge Marcia G. Cooke firmly rejected both positions. Ruling from the bench, she held that the Florida statute created a privilege broad enough that Pierre-Paul’s written authorization was required for disclosures of his medical records except under certain circumstances not present in this case. The hospital that treated Pierre-Paul, Jackson Memorial, has settled the privacy suit against it for release of his records (for an undisclosed sum), and now ESPN and Schefter must undoubtedly pivot in their strategy from motions for dismissal to assessing what number will extricate them from the case before a jury is asked to put a price on this privacy intrusion, at a time when the public grows angrier and angrier about data breaches.
HIPAA is not the end of healthcare information breach exposure. In view of the growing minefield of privacy laws and regulations at the state and federal level, it is only the beginning. If you have questions about a healthcare information breach, breach lawsuit or regulatory proceeding or steps to reduce the risks of a breach, please contact Kenneth N. Rashbaum.