Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state's common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments.  After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal."  The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930's.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort's purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public - in essence to define his public persona."  The court went on to note that, "[w]hile this restriction may have made sense in the 1890's - when no one dreamed of talk radio or confessional television - it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee's medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.

• Email This
• Print
• Comments
• Trackbacks

As a growing number of states pass laws to restrict employers from gaining access to employees' personal social media accounts, what employees post in social media can be critical evidence in employment-related investigations and litigations. Check out my partner J. Gregory Grisham's recent article in HR Professionals Magazine discussing a recent Sixth Circuit decision concerning this issue in an FMLA context. 

• Email This
• Print
• Comments
• Trackbacks

Written by Nick Beermann

In a case addressing the Family Medical Leave Act (FMLA) that directly implicates the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), Pacosa v. Kaiser Foundation Health Plan of the Northwest, the Portland Division of the United States District Court of Oregon awarded summary judgment against a physician assistant who claimed he was discharged in retaliation for taking FMLA leave. While the court primarily focused on the boundaries of what constitutes FMLA retaliation, the case serves as a good example of the limits healthcare companies can place on employee access to available protected health information and enforcement mechanisms for addressing violations of such access.

Frank Pacosa was a physician assistant for Kaiser Foundation Health Plan of the Northwest in Portland, Oregon. He alleged that he took intermittent leave under the FMLA for a period of 2001 to 2008 for purposes of caring for his wife’s clinical depression. While employed, Pacosa signed a number of confidentiality agreements, which prohibited him from accessing his own health records or those health records of his family or friends on Kaiser Permanente’s proprietary medical records system unless he had specific authorization from the patient and the access was approved. An additional confidentiality policy that he signed and had training on prohibited him, as an employee, from accessing any protected health information records except where related to his job.

In 2008, Kaiser Permanente’s Compliance Department received a series of phone calls from Pacosa’s wife, who informed it that Pacosa had accessed her medical records without authorization and that he was using the information to obtain a restraining order against her. The Compliance Department’s investigation revealed that Pacosa had accessed his wife’s records without authorization, and further accessed and edited his daughter’s records as if he was the treating medical provider, all while he was on alleged FMLA leave.

Kaiser Permanente determined that Pacosa, who at one time served on the Confidentiality Committee and Health Information Management Committee, improperly and with intent of personal gain, accessed the protected health information of his wife and daughter, violating its confidentiality policies. Kaiser Permanente terminated Pacosa’s employment on October 30, 2008.

Pacosa sued Kaiser Permanente in Oregon District Court, alleging multiple state and federal statutory violations, including that his termination interfered with his leave rights under the FMLA. The Oregon District Court granted summary judgment on each of Pacosa’s claims, determining that there was no issue of material fact that Pacosa violated confidentiality policies, which was the reason for his termination rather than any FMLA violation.

As we have touched upon in previous posts, the chance of a data breach or information misuse rises with the use of electronic data and employee access to that data. Of course, the advent of the electronic medical record is both a result of developing technology and required under HIPAA, but as Mr. Pacosa’s termination illustrates, the portability of electronic records make it easy to view or misuse a patient’s private health information.

Kaiser Permanente’s repeated distributions of confidentiality policies and the obligations to secure and limit access to protected health information by employees illustrates a best practice and minimum necessary compliance obligation that covered entities have under HIPAA’s privacy rule and recent changes to it in the American Recovery and Reinvestment Act of 2009 (“ARRA”). The Pacosa case serves as another reminder to covered entities to review and place appropriate limits on employee access to protected health information.
 

• Email This
• Print
• Comments
• Trackbacks