[ Monday, June 27, 2016 ]


Is the theft of NFL Players' medical records from a Redskins' trainer a HIPAA violation?  Almost certainly not.  But it is likely a violation of some state data protection laws, and almost certainly raises a data breach notification obligation.

A Redskins trainer left a backpack containing paper medical records, as well as a laptop with electronic medical records, of current and former NFL players in a locked car; the car was burgled and the backpack (and its contents) stolen.  The laptop was password-protected, but the electronic data was not encrypted. This is not good.  But it's also unlikely to be a HIPAA violation, mainly because it's unlikely there is a HIPAA covered entity involved.

No breach without a CE or BA: The NFL itself, and the Washington Redskins specifically, are not health plans, health care providers, or health care clearinghouses.   Therefore, they are not "covered entities" (or CEs) under HIPAA.  The trainer is most likely a health care provider, which would make him/her a CE if he/she engages in electronic transactions of the sort regulated by HIPAA.  These would be submitting billing to insurance, checking for insurance coverage and benefits, tracking payments, etc.  I would be extremely surprised if he/she did so, since I assume he/she is paid by the Redskins for services provided.

It also does not seem likely that the NFL, the Washington Redskins, or the trainer were acting as a "business associate" (or BA) of some other CE in connection with the lost data.  Without a CE or a BA, there can't be a HIPAA breach.

One possible caveat: the Players Association is all over this story.  It is possible that the Players Association is structured in such a way that it (or a component of it) is a CE by virtue of being a health plan.  I doubt that, since I doubt the PA pays or provides for medical care; I assume the teams pay for their own players' medical care.  But that unlikely event is the only way I see HIPAA being involved here.

Employment records aren't PHI: Even if there was a BA or CE involved here somehow, there's still the question of whether the data lost was "protected health information" (or PHI) under HIPAA's definition.  The definition of PHI is extremely broad, and it's likely that this information could be PHI, but the definition does have an exception that might be applicable here.  Namely, "employment records held by a covered entity in its role as employer" are specifically excluded from the definition of PHI.  We don't know for sure, but it seems like the lost data might be "employment records."

Encryption is not required: The article states, "Storage of data on unencrypted devices does not adhere to both local and federal medical privacy standards, including HIPAA, making the breach a potentially costly one for the NFL."  Not true.  Don't get me wrong; encryption is best practice, and I highly recommend it, not the least because HIPAA's breach notification provisions are inapplicable if the lost data is encrypted.  But encryption is not required, and therefore storing data on unencrypted does not fail to meet a standard under HIPAA.  Some states (MA for sure) have state-level encryption requirements, but it's impossible to tell from the article whether those state statutes would be implicated, or if the state regulators would be able to commence an enforcement action.

State laws may apply: Depending on where the theft occurred, the states of residents of the affected individuals, the location of the responsible parties (are the Redskins actually in DC or in Maryland or Virginia?), and the location of the theft (Indianapolis), various state laws may be impacted.  Some states have laws requiring reasonable security for personally-identifiable information; most have laws requiring the notification of individuals whose data has been breached.  Those laws vary greatly, but it's pretty safe to say some would be implicated by this situation.  Some do not require notification if there is little or no risk of harm from the breach, and it's possible that the NFL and the Redskins could come to that conclusion based on the fact that the data was password-protected; that wouldn't cure the problem with the paper data, though.  Regardless, that's a fact-specific matter based on the reasonable conclusion of the parties involved.  I would expect the NFL and/or the Redskins to notify all individuals involved, regardless of whether it's legally required or not.

Jeff [5:50 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template