The National Football League ( NFL) has endured several high profile incidents around HIPAA compliance and the protected health information of its players. With 32 teams and up to 53 players on each team, the league, its owners and coaching staff are responsible for the PHI of nearly 1700 athletes.
This post is about HIPAA compliance and the NFL.
Thousands of Medical Records Stolen from Trainer's Car
Last year the NFL reported that thousands of players’ healthcare records were breached after a laptop was stolen from the car of a Washington Redskins trainer. The stolen medical records encompassed 13 years of current and former players’ protected health information (PHI). In an official statement from the NFL to the players’ union, NFLPA Executive Director DeMaurice Smith said: Men, It has come to our attention that the backpack belonging to a Washington Redskins’ athletic trainer, was stolen from a car following a break-in. We have been advised that the backpack contained a password protected, but unencrypted, laptop that had copies of the medical exam results for NFL Combine attendees from 2004 until the present, as well as certain Redskins’ player records. We have also been advised that the backpack contained a zip drive and certain hard copy records of NFL Combine medical examinations as well as portions of current Redskins’ player medical records. It is our understanding that our Electronic Monitoring System prevented the downloading of any player medical records held by the team from the new EMR system. The NFLPA has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League. All inquiries regarding this matter should be directed to the NFL Management Council lawyers (212-450-2000) and/or the Washington Redskins (703-726-7000). Thank you, De What's interesting to note in the letter is the admission that although the stolen laptop was password protected, its hard drive was not encrypted.
There are numerous HIPAA fines already on record around stolen laptops and unencrypted hard drives:
The messaging from the U.S. Department of Health & Human Services ( HHS) is crystal clear: Password protection is not enough for HIPAA compliance and laptops.
You must also encrypt the hard drive. It will be interesting to follow this story as the HHS conducts its investigation.
SEE ALSO: Free Disk Encryption for Mac OS
Hospital Violates HIPAA after NFL Medical Record TweetIn 2015 an employee at Jackson Memorial Hospital reportedly leaked PHI of Jason Pierre-Paul, the defensive lineman star for the New York Giants, to an ESPN reporter. That reporter, Adam Schefter, then tweeted his medical record online.
ESPN obtained medical charts that show Giants DE Jason Pierre-Paul had right index finger amputated today.
— Adam Schefter (@AdamSchefter) July 8, 2015
The tweet above confirmed that Pierre-Paul had his right finger amputated at the hospital, a surgery attributed to a July 4 fireworks accident. The injury allegedly led to the New York Giants pulling Pierre-Paul's $60 million contract. Pierre-Paul has since sued Adam Schefter and ESPN. It will also be interesting to see what happens to the employee who leaked the protected health information and the hospital they work(ed) at.