Share this e-Alert:

Polsinelli - Health Care Polsinelli - Health Care


July 2015


Don't Fumble Your HIPAA Obligations: Ensure Your HIPAA Playbook Implements Appropriate Protections for Patients






Law Firm of the Year - U.S. News and World Report - Health Care Law - 2015

For more information about this e-Alert, please contact:


Ken Briggs



Email | Bio


Kathleen D. Kenney



Email | Bio


Erin Fleming Dunlap



Email | Bio


Health Care Practice Leaders:


Matthew J. Murer

Practice Area Chair


Email | Bio


Jane E. Arnold

Practice Area Vice Chair


Email | Bio


Colleen M. Faddick

Practice Area Vice Chair


Email | Bio


To learn more about our Health Care practice, to contact one of our Health Care attorneys, or for more Health Care Intelligence, click here.


View Polsinelli documents on JD Supra  


LinkedIn Twitter Facebook Polsinelli Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.

The injuries suffered by a professional football player brought the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA") onto center stage of the media during the days following July 4. Jason Pierre-Paul, a defensive end for the New York Giants, suffered a firework-related injury to his hand during the Independence Day celebrations. Mr. Pierre-Paul's medical record became the talk of the internet when Adam Schefter of ESPN posted a picture of Mr. Pierre-Paul's medical record along with the following message on his Twitter account: "ESPN obtained medical charts that show Giants DE Jason Pierre-Paul had right index finger amputated today." In response to the incident, the CEO of Jackson Health System, which operates the hospital where Mr. Pierre-Paul is being treated, stated that an "aggressive internal investigation looking into these allegations is underway."

While Jackson Health System continues to investigate the incident to determine the root cause of the alleged breach, compliance officials may want to use this highly-publicized incident as a teaching moment to remind workforce members of their ongoing obligations to protect patient privacy. HIPAA requires covered entities to ensure reasonable and appropriate technical, administrative, and physical safeguards are in place to protect patients' protected health information. Covered entities are also required to limit workforce members' access rights based on their particular job functions and inform workforce members of the sanctions that will be imposed against "snooping" employees who use or disclose patient information in violation of HIPAA.

Even if a hospital or other provider is not servicing high-profile patients, common snooping may still be a problem. The Department of Health and Human Services, Office for Civil Rights (OCR) has issued clear guidance that snooping does not meet one of the breach exceptions because it is intentional and in bad faith. Workforce members need to be reminded that patient information should only be accessed to perform job functions, and snooping (whether for improper motive or simple curiosity) is strictly prohibited. Even sharing information about patients with other workforce members who do not need the information to perform their job violates HIPAA.

The cost of failing to comply with HIPAA has proven to be high in snooping cases. OCR has investigated a number of these cases and entered into resolution agreements with covered entities requiring payments as high as $865,000. Significantly, these costs do not include the costs associated with investigating, remediating, and mitigating a breach under HIPAA. A covered entity may also be hit with enforcement at the state level and lawsuits from affected patients, which are on the rise. The costs can be extraordinary even when there is an apparently straightforward breach that only affects one individual.

Success at the game of HIPAA can be maximized through diligent training and monitoring -- and sanctioning workforce members for violations. Here are a few steps from our HIPAA playbook that can help minimize HIPAA violations by workforce members:

  • Periodically review OCR enforcement actions and case settlements to determine if additional training or safeguards should be implemented.
  • Implement robust training to ensure workforce members are aware of their obligations to protect patient privacy, regardless of the patient, and the sanctions that will be imposed for failure to comply—including termination of employment if warranted.
  • Determine the extent to which technical and/or physical safeguards can be placed on the medical records to track, trigger alerts, flag, or restrict access to the records.
  • Review your HIPAA policies and procedures to ensure that they address workforce members' access rights.

For More Information

For questions regarding the content of this alert, please contact:














Atlanta  Chattanooga  Chicago  Dallas  Denver  Kansas City  Los Angeles  Nashville  New York
Overland Park  Phoenix  Raleigh  St. Joseph  St. Louis  San Francisco  Springfield  Washington, D.C.  Wilmington








real challenges. real answers.SM  
Polsinelli is an Am Law 100 firm with more than 750 attorneys in 18 offices, serving corporations, institutions, entrepreneurs and individuals nationally. Ranked in the top five percent of law firms for client service and top five percent of firms for innovating new and valuable services*, the firm has risen more than 100 spots in Am Law's annual firm ranking over the past six years. Polsinelli attorneys provide practical legal counsel infused with business insight, and focus on health care, financial services, real estate, life sciences and technology, and business litigation. Polsinelli attorneys have depth of experience in 100 service areas and 70 industries. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.

* BTI Client Service A-Team 2015 and BTI Brand Elite 2015







Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2015 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Polsinelli Health Care Health Care