one football one player

HIPAA and Football Heroes

When a public figure like Damar Hamlin is injured and 23 million people are watching, does he have any HIPAA privacy rights left?

We watched in real time as medics and doctors assisted Damar on the field, and then we heard medical updates later that day and as the days went by. Why was this information public? Who made the decisions about when and what to disclose – was it the media, the NFL, the hospital or Damar’s family? Does it matter?

A shocking injury like this grabs the public’s attention. There was a huge outpouring of grief, compassion and concern nationwide among football fans and non-fans. A big swath of the public is invested and interested in football and even if we don’t watch it all the time – it’s undeniably part of this country’s popular culture.

The NFL disseminates massive amounts of public information about the games and the players, and much of it is personal because fans are invested in the players, and are curious. NFL players surrender a certain amount of privacy in their contracts in exchange for their employment in the public arena. But when it comes to medical privacy, HIPAA governs what healthcare providers can disclose, not the NFL contract.

The HIPAA Privacy Rule Sets the Stage

The fundamental rule is that covered entities may not disclose an individual’s protected health information (PHI) without authorization to anyone except the individual to whom it belongs. There are three exceptions, namely, it may be used or disclosed for purposes of treatmentpayment or health care operations. 

The NFL is not a covered entity so it is not governed by HIPAA. News media outlets are not covered entities and are not governed by HIPAA. There are other state privacy laws, and as mentioned, there is likely a contract that outlines how publicity and privacy will be handled for an NFL player by his employer.

So all the initial news reports from various news outlets covering the game did not violate HIPAA when reporting information they received from the Buffalo Bills organization or the NFL. The Bills and the NFL did not violate HIPAA because they are not covered entities either. HIPAA only applies to the doctors, the medics and the hospital.

Celebrities Have the Same Rights to Medical Privacy as the Rest of Us

Although hospital spokespersons and treating physicians generally are the ones speaking publicly about the patients’ medical condition, they are doing so strictly in line with an authorization provided by the patient. It is never appropriate for a health care provider to reveal more than what has been authorized.

The reason we’ve been hearing details about Damar Hamlin’s condition is likely because he and his family chose to allow the information to be disclosed. In the beginning he was unable to communicate, so a family member or close friend may have been serving as his personal representative and gave the authorization on his behalf.

From the time of his injury on January 2 until today, January 10, University of Cincinnati Medical Center regularly gave press conferences to update the public about Damar’s condition, and likely did so because Damar (or his personal representative) had consented to, or authorized these updates. By January 8, Damar was tweeting his own messages to fans, including pictures of himself in recovery. He has the freedom to do that because he may choose to share information about himself without violating HIPAA.

Key Takeaway about HIPAA and Celebrities

Because someone is in the public eye does not mean the public is entitled to private medical information about them. We learned details about Damar Hamlin’s condition because he consented to our learning about it.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Big HIPAA PRIVACY RULE Change in...

Days
Hours
Minutes
Seconds