Former New York Yankee Lou Gehrig died 71 years ago from amyotrophic lateral sclerosis or ALS, now known as Lou Gehrig's disease. Now some legislators in Minnesota want to make his medical records, maintained at the Mayo Clinic, public. A story in the Star Tribune raises the question of how long a patient's personal health information is private after the patient's death. According to the Mayo Clinic, "only the spouse, parents, or Gehrig's appointed representative have access to his medical records." Phyllis Khan, a Minnesota state Representative, has proposed a state law which would not prohibit the release of medical records of someone who has been dead at least 50 years, does not have a will that blocks the records release, and does not have any direct descendants objecting. A similar proposed federal regulation is also under discussion. Advocates stress that access to medical records after a period of time has elapsed could assist scientific research. The slugger who described himself as the luckiest man on the face of the earth may have more to contribute to privacy regulation, and perhaps medical science. Stay tuned.
The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc. Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws. Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave. To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner. To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated. The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records. The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge. The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.” The Court went on to state,
the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records.
The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.
The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims. Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients’ privacy.
A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity's disclosure of protected information can form the basis for a state-law negligence claim. The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA.
The plaintiff, I.S., was undergoing medical treatment for colon cancer at Washington University. I.S. gave Washington University a limited authorization to disclose only the dates of her treatments in order to satisfy her employer’s medical leave requirements. Notwithstanding this limited authorization, plaintiff asserts that Washington University also sent her employer additional medical records and information that far exceeded her authorization. These included I.S.’s HIV status, mental health issues, and insomnia treatments. Based on that disclosure, I.S. sued Washington University for negligence per se based on a violation of HIPAA.
Procedurally, Washington University removed the state court action to federal court and sought dismissal of the negligence per se claim, arguing that HIPAA does not create a private cause of action.
The district court, disagreeing with Washington University, held the plaintiff’s claim could stand despite its exclusive reliance on HIPAA. The court held that a federal statute that does not provide for a private right of action nevertheless may be a legitimate element of a state law negligence per se claim.
Under Missouri law, among other things, the plaintiff must show:
· a violation of a statute or ordinance occurred,
· the plaintiff was a member of the class of people intended to be protected,
· the injury complained of was of the type intended to protect against, and
· the violation was the proximate cause of the plaintiff's injury.
The Court found that I.S. had met all of the required elements of her claim and remanded the case back to state court. It held that I.S.'s claim, although premised on HIPAA, did not raise a federal question as it did not raise any compelling federal interests or present a substantial federal question.
This case illustrates the need for HIPAA covered entities to provide training and institute policies and procedures regarding HIPAA compliance. Here, a process for responding to requests for information would have highlighted the importance of carefully adhering to the limits of the authorization and prevented this alleged unauthorized disclosure, thus precluding I.S.’s claims. Additionally, employers, and their counsel, must be aware that common law claims may support litigation based on HIPAA, despite the fact HIPAA itself does not provide for a private cause of action.
In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data. This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine. The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.
While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility. Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices. Despite a general prohibition on employees physically removing protected health information from the hospital, HHS permitted an exception when the information is removed by an employee to perform his or her job duties. Additionally, the hospital must implement training for all employees.
This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions. In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.
Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities.
This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA.
The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records.
Does your HR staff know the limits on what they could tell prospective employers about former employees?
In this case, the US Equal Employment Opportunity Commission (EEOC) alleged that 7-Eleven of Hawaii failed to keep a former employee’s medical information confidential by disclosing the information to a prospective employer, in violation of the ADA, which caused the prospective employer to rescind a job offer. The EEOC filed suit in federal district court ( EEOC v 7-Eleven of Hawaii, Inc, DHaw, No CV 07-00478-SPK-BMK) and, after the District Court ruled in 7-Eleven’s favor, the EEOC appealed the decision in August 2008 to the US Court of Appeals for the Ninth Circuit.
However, on August 2, the EEOC announced a settlement under which 7-Eleven of Hawaii will:
- pay $10,000,
- provide annual training to its human resources personnel and managers in equal employment opportunity, with an emphasis the ADA requirements concerning confidentiality, and
- for a period of two years, 7-Eleven will also be required to report annually to the EEOC regarding the company’s policies and proposed training programs with respect to disability discrimination, medical disclosure, non-retaliation, and reasonable accommodation.
In comments about the case, EEOC representatives made clear that the ADA confidentiality requirements apply to applicants, current employees and former employees. Earlier in the year, we wrote about a recent EEOC senior staff attorney's informal letter concerning the duties of federal employees and contractors relating to medical confidentiality. It is unclear whether these actions by the EEOC suggests a greater emphasis on enforcement of medical records confidentiality under the ADA. Regardless, employers should be taking preventive steps to comply with these requirements. Some steps include:
- Creating a culture of confidentiality concerning medical records, whether those records are subject to ADA, HIPAA or some other law.
- Reminding employees that medical information is confidential and access is on a need-to-know basis.
- Reviewing and revising administrative, physical, and technical safeguards as necessary and appropriate to safeguard medical information, such as requiring employees to keep their desks clear of sensitive information and locking doors and file cabinets.