Since the start of the coronavirus, there have been a lot of people claiming that their HIPAA rights have been violated. Most notable, Dallas Cowboy running back Ezekiel Elliott. In preparation for the upcoming football season, the NFL has been testing players for COVID-19. After Ezekiel Elliott tested positive for the virus, his results were made public. He claims that this was a HIPAA violation. However, it is unclear the source of the leaked information, so it is not necessarily a HIPAA violation. To clear up the misconceptions around HIPAA violations, one of the most common reasons to file a HIPAA violation case is discussed below.
Are you adequately protecting patient data?
Find out now with our HIPAA compliance checklist.
HIPAA Violation Case: Uses and Disclosures
There are several reasons that patients can claim that their HIPAA rights were violated to file a HIPAA violation case. The most common is improper use and disclosure of protected health information (PHI). There are specific rules for how PHI is permitted to be used and disclosed by covered entities or business associates. PHI cannot be disclosed outside of treatment, payment, or healthcare operations, without prior patient authorization.
Under HIPAA, COVID-19 results are considered PHI, as such they may not be disclosed to the media without prior patient consent. If Ezekiel Elliott’s HIPAA rights were violated, it would have fallen into this category. So, was disclosing Ezekiel Elliott’s test results to the media a HIPAA violation? Well the answer to that is unclear. It depends on who disclosed the information.
 The HIPAA regulations ONLY applies to covered entities (healthcare providers, healthcare clearinghouses, health plans) and business associates (vendors that covered entities contract for services). If Ezekiel Elliott’s results were disclosed by a covered entity, business associate, or someone who works for either entity, it was ABSOLUTELY a HIPAA violation. If his results were disclosed by his agent, a teammate, or someone else who knew of the results, then it was not a HIPAA violation.
