In February, NFL player Jason Pierre-Paul and ESPN reached a settlement in Pierre-Paul’s invasion of privacy suit against ESPN and its reporter Adam Schefter. The lawsuit stemmed from Schefter’s tweet of a screenshot of Pierre-Paul’s medical chart following a July 2015 hospital visit. Pierre-Paul had been involved in a Fourth of July fireworks accident, requiring amputation of a finger, among other procedures. The screenshot of his medical chart from Jackson Memorial Hospital in Miami showed record of the amputation, a skin graft, and other details.
Pierre-Paul’s suit, filed in February 2016, asserted an invasion of privacy claim against ESPN and Schefter. What makes this otherwise routine privacy litigation interesting (aside from involving a famous NFL player and well-known reporter) is that Schefter is not a medical provider of any kind. Pierre-Paul did not allege that ESPN violated HIPAA or any other personal information or data privacy law, presumably for that reason. Unquestionably, it was a HIPAA violation for these records to have been made public—but the HIPAA obligations fall upon the hospital, not ESPN. Two employees of the hospital were fired in connection with the incident for inappropriately accessing the records. However, Pierre-Paul argued that Schefter became a records custodian once he obtained them, even though Schefter did not ask for them and made no effort to do so.
ESPN issued a statement stating that it believes its reporting was “journalistically appropriate” and that the item was newsworthy. Nonetheless, it apparently thought the risk of an adverse judgment was sufficient to make a settlement payment of some amount appropriate (the terms of the settlement remain confidential). This litigation raises interesting (and potentially concerning) questions about a company’s responsibilities with respect to data and information it neither generated itself nor sought out, but nonetheless obtains.
Hospitals and medical providers are generally well-versed in HIPAA and other medical record privacy laws, and train their staff to ensure compliance, but issues relating to electronic media add a significant layer of difficulty. Similarly, retailers who might store customer addresses and credit card numbers, or a financial services firm that retains personal financial data, are increasingly becoming aware of these privacy issues. Still, most companies are not tracking regulations concerning personal information of a kind it does not usually deal in or on training its employees on such regulations (such as with medical information at ESPN, a sports media company). The possibility of being presented such information is not out of the question in today’s world of Wikileaks and other rogue actors who might obtain information through improper channels and pass it along to an individual or company for any number of reasons. The parties’ settlement leaves it unclear how some of these legal issues would shake out. However, organization leaders should be aware that individuals may seek to impose the status of document custodian on those who have come across information inadvertently and have a plan for what to do with such information.