ESPN Didn’t Violate HIPAA: A Quick Lawsplainer

Last night twitter erupted with speculation that ESPN violated Jason Pierre-Paul’s HIPAA rights due to one of its reporters tweeting this:

Twitter was outraged. The sages at Pro Football Talk prognosticated that a lawsuit by Pierre-Paul was imminent. HIPAA is supposed to protect our privacy, right? Who wants their colonoscopy records getting made public?

So did ESPN violate HIPAA? Let’s do some early morning lawsplaining.

1. HIPAA Doesn’t Apply to ESPN:

In order for anyone or anything to sue ESPN for a HIPAA violation, HIPAA has to actually apply to ESPN. Think about it this way: another country, let’s call it it Twitterstan, outlaws driving with one hand on the wheel. You drove to work today only using one hand. Can Twitterstan come and arrest you on US soil for a violation of their laws?

No. You aren’t subject to Twitterstan’s laws because you don’t live there and haven’t even been there. Their laws don’t apply to you, just like HIPAA doesn’t apply to ESPN.

Why doesn’t HIPAA apply to ESPN? Because HIPAA only applies to what are called “covered entities” – which are defined in 45 CFR Sec. 162 et. sec. Here’s a powerpoint made by the Department of Health and Human Services explaining it featuring a hippo in a business suit if you reaaaaaaalllly want to see something exciting.

2. There’s No Private Right of Action Under HIPAA

For Jason Pierre-Paul to be able to sue ESPN for violating HIPAA he would have to have standing to be able to sue. For an individual or company to be able to sue for a violation of a statute that statute has to provide standing – the statute has to specifically say that a violation of its terms is “actionable.” Luckily for us a federal court has already decided the issue:

HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals.

Acara v. Banks, 470 F.3d 569 (5th Cir. 2006).

From another federal court case:

Every district court that has considered this issue is in agreement that the statute does not support a private right of action.

Hudes v. Aetna Life Ins. Co., 806 F.Supp.2d 180 (Dis. Ct. of Columbia 2011) (internal citations omitted).

Soooooo yeah. No private right of action under HIPAA means that an individual can’t sue anyone for violating HIPAA.

3. So Should ESPN Have Released Those Medical Records?

I don’t know, man. I’m just a lawyer.

4. Shouldn’t Somebody Get Sued?

That’s the American way, but it all depends on how the medical record got into ESPN’s hands. If the hospital emailed ESPN a copy of the record without Pierre-Paul’s consent, then maybe the government could sue the hospital. But really? You think ESPN’s going to give up whoever gave it that medical record if it wasn’t from Pierre-Paul himself? Good luck with that.

The bottom line is this: don’t get legal advice from twitter. And don’t start suing people for violating your HIPAA rights.
photo credit: Please Keep Door Locked and Students Supervised Medical Records Stored Here HIPA Grand Rapids Montessori School via photopin (license)