The Philadelphia Eagles’ Super Bowl aspirations dimmed on a late autumn afternoon when two Ram defenders hammered their star quarterback, Carson Wentz, on a run to the end zone that was called back for a penalty. Wentz stayed in the game and threw a touchdown pass, but soon disappeared into the locker room for the remainder of the game. By mid-week, the medical reports confirmed what most Eagles fans already seemed to know: Wentz had torn ligaments in his knee and was finished for the season.
In the two weeks leading to the Super Bowl, sports media filled time and space with stories about the cut on Tom Brady’s hand and Rob Gronkowski’s expected clearance to play after suffering a concussion.
How, in the world of HIPAA privacy and security was so much medical information available for public consumption?
The intense focus on the Super Bowl and professional sports, in general, provides a reminder about one of the most fundamental aspects of HIPAA. It does not apply to everyone. Only covered entities and their business associates are subject to HIPAA’s privacy and security rules. There are only three types of covered entities: health plans, most health care providers, and health care clearinghouses, which translate data to and from the standard HIPAA format in certain transactions. Business associates are individuals and organizations that obtain or create individually identifiable health information (known as “protected health information”) while assisting a covered entity.
A National Football League franchise is neither a covered entity nor a business associate. With regard to its players, it is an employer, and employers are not subject to HIPAA’s privacy and security rules, at least not when they perform basic employment functions. Even hospitals are not treated as covered entities with regard to their own staff. In fact, the regulations make doubly sure that a covered entity will not be subject to HIPAA when acting as an employer, providing that the employment records of a covered entity will not be regarded as protected health information under HIPAA. HIPAA does not apply to everyone or everything.
This does not get employers off the hook altogether. An employer generally needs to comply with HIPAA when it handles individually identifiable information from its health plans. A hospital or other health care provider that is subject to HIPAA needs to meet the privacy and security rules if it has to access patient records to address an employment issue. However, in the ordinary course of employee relations, HIPAA does not apply.
That being said, most employers act with discretion when it comes to an employee’s illness or injury. Even though HIPAA itself may not apply, it has helped generate a greater concern for the confidentiality of information that employers typically observe (and HIPAA is not the only source of potential liability for inappropriate disclosures). In this regard, the glare of professional sports and the demands for information about a player’s health are unusual. But they still raise questions, including the question of where employers obtain their information in the first place. Aren’t the doctors who treat professional athletes subject to HIPAA? How are they able to disclose information to the franchise and sometimes directly to the media?