In recent years the National Football League’s weekly injury report has caused quite a stir, most notably for its questionable toeing of the line regarding the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
HIPAA states that private health information is not to be provided to parties, such as employers, without the consent of the employee. In stark contrast to this, the NFL Injury Report Policy states that “All players with significant or noteworthy injuries must be listed on the report, even if the player takes all the reps in practice, and even if the team is certain that he will play in the upcoming game. This is especially true of key players and those players whose injuries have been covered extensively by the media.”
The NFL has a history of doling out fines to teams who violate this policy. They issued a $20,000 fine to the Washington Redskins for not immediately disclosing that Robert Griffin III had suffered a concussion (when?) and issued the same penalty to the Buffalo Bills for not disclosing Mario Williams’ wrist injury (when?).
But leave it to none other than John Harbaugh, an often outspoken critic of the league, to chime in on the debate when the Baltimore Ravens were fined for not reporting Ed Reed’s torn labrum in October of 2012. When questioned about the incident, Harbaugh said, “Aren’t there HIPAA rights here? I mean, if I’m a player and I’ve been playing and I’ve been out there playing and I don’t want that on the injury report, and I’m told I have to put that on the injury report, we’ve got some players that resent that. So, yeah, I’ve got a problem with that, in all honesty.”
What Harbaugh failed to see is that HIPAA often excludes employers. The privacy rules only apply to “covered entities.” Under HIPAA, a covered entity is either a health plan, health care clearinghouse or a self- insured health care provider. It may be a bit unsettling to realize that many employers in fact are not covered entities. Since the NFL does provide health care facilities and acts as an intermediary between medical providers and employers, the fine line becomes even more blurred.
The NFL is notorious for leaking player information. In July of 2015 it became pubic knowledge that Jason Pierre-Paul of the New York Giants had his right index finger amputated at Jackson Memorial Hospital in Miami after a fireworks accident. The information was reported via ESPN reporter Adam Schefter’s Twitter account.
The result was a media firestorm and public relations nightmare for ESPN as well as Jackson Memorial Hospital. The tweet itself sparked a lot of controversy amongst Pierre-Paul’s fellow players, who spoke out against the reporting of such incidences via social media. Pierre-Paul also filed suit against both ESPN and Jackson Memorial Hospital in a Dade County court in February. On August 25, judge Marcia Cook dismissed ESPN and Schefter’s claim citing their perceived First Amendment protections and allowed the rulings to proceed. Although Schefter did not directly violate any HIPAA laws Jackson Memorial has settled the lawsuit brought against them and fired two employees responsible for the leak.
Based on data available from the U.S. Department of Health and Human Services, these breaches of privacy are not uncommon. They reported that in 2015 112 million healthcare records were compromised, 111 million of which occurring across 10 different major organizations. The department found that of those data breaches about 55 percent was physically stolen (as with this case). However 6 percent of data was compromised by hackers and about 5 percent from improper disposal of data. A costly mistake for health care providers and potentially NFL teams alike. If sensitive information not disclosed on an injury report were to be compromised then the team could face the same fate as Harbaugh’s 2012 Baltimore Ravens. It appears a leak friendly league like the NFL could benefit from utilizing a HIPAA friendly encryption service for the correspondence between team doctors and their organizations to avoid a similar suit.