I, like most football fans around the country and around the world, love to be up to speed on the deeds and misdeeds of players in the NFL. To hear that a player of the caliber of Pierre-Paul did something so stupid as to blow up his own hand playing with firecrackers over the 4th of July holiday makes for great water cooler commentary. That said, as an IT Security professional with multiple medical clients, I am tremendously concerned to see a picture of Pierre-Paul’s medical record posted on Twitter by ESPN’s Adam Schefter.
Let me first say that short of physically entering the hospital and stealing the record by force, I do not believe Schefter broke any laws. I imagine that he or someone else associated with ESPN talked their way into seeing the record using the cache` that comes from being part of the world’s largest sports network. Unfortunately, someone else did break the law or laws associated with that medical facility, and Pierre-Paul, his legal team, and the United States Department of Health and Human Services are going to find out who it was and take action at a variety of legal levels.
HIPAA and its privacy and security rules are a big deal. Privacy in general is a big deal. Patients, regardless of their status in public or on a field of play, have the right to manage information concerning their health. Medical professionals must take this type of breach very seriously. Perhaps it is time to extend the hippocratic oath of “First, do no harm” beyond just the clinical care of the patient. Perhaps their information should also be cared for with the same sense of honor and respect.