Potential HIPAA Violations in the Aftermath of Prince’s Death?

By | April 22, 2016


Prince BlogHIPAA

Following Prince’s sudden death on April 21, 2016, media speculation about the causes surrounding the event have already begun to circulate widely.

TMZ has reported that the artist was treated for a drug overdose just six days prior to his death. His private jet was reported to have made an emergency landing in Moline, Illinois where Prince was taken to a hospital just hours after performing in Atlanta.

TMZ cites “several sources in Moline” in their report, saying that doctors gave him treatment “typically administered to counteract the effects of an opiate.” TMZ has since reported that the treatment was given by EMTs in response to a Percocet overdose.

While the story itself does not constitute a HIPAA violation, the question remains surrounding the integrity of the information that TMZ received in their reporting. If medical professionals or hospital staff disclosed the information about the potential drug overdose, then that would be considered a serious breach of Prince’s rights under the HIPAA Privacy Rule.

The unauthorized disclosure of patients’ protected health information (PHI) is strictly prohibited by federal regulation. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released specific guidance on the issue of PHI and media releases, stating that:

Health care providers cannot invite or allow media personnel […] into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.  Only in very limited circumstances […] does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.

Celebrities and individuals who have a strong public presence who experience health crises or deaths are often subject to intense media scrutiny and reporting in the aftermath of these events.

Back in July of 2015, a similar scenario played out when New York Giants player Jason Pierre-Paul’s medical records were unlawfully disclosed after being tweeted by an ESPN reporter. But because the records weren’t leaked by a health care professional, the tweet technically does not constitute a HIPAA breach, and OCR cannot step in to remediate the leak.

The same reasoning holds true for TMZ’s story. If, upon further reporting, it becomes apparent that a medical professional was responsible for leaking the story, then the hospital could potentially be at fault for violating Prince’s rights under the HIPAA Privacy Rule. However, as it stands, TMZ and other news media outlets reporting this, or similar stories, cannot be charged with violating HIPAA.