No Discovery of Patient Records In Federal Employment Case

Posted on July 26, 2011 by Jason C. Gavejian

The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc.  Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws.  Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave.  To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner.  To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated.  The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records.  The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge.  The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.”  The Court went on to state,

the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records. 

The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.

The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims.  Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients privacy.  

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Cautionary Tale for Health Care Providers Subject to HIPAA - Don't Forget State Law

Posted on April 26, 2011 by Joseph Lazzarotti

Written by Marlo Johnson Roebuck

When considering the proper use or disclosure of patient data, most health care providers look immediately to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules. But that may not be enough. As the plaintiff in Isidore Steiner, DPM, PC dba Family Foot Center v. Marc Bonanni learned, state law also must considered. In general, a state law will be applied instead of HIPAA if the state law is more stringent and protective of patients’ protected health information (PHI).

In Bonanni, the Family Foot Center, a HIPAA-covered entity, was seeking to enforce a non-compete agreement with its former employee, a physician. Believing the former employee was soliciting its patients in violation of the agreement, the Center requested its former employee’s patient lists as part of pre-trial discovery. The physician objected on the ground that HIPAA and Michigan law on physician-patient privilege protected information of non-party patients from disclosure without their consent. The Center filed a motion to compel the disclosure.

The trial court denied the motion, reasoning that the names, addresses, and phone numbers of non-party patients were privileged under Michigan law. The Center appealed.

Under HIPAA, a covered entity generally may not use or disclose an individual’s PHI without a written authorization or providing the individual the opportunity to agree or object. However, it may do so for example, when responding to a subpoena or discovery request, upon satisfying certain conditions. 45 CFR 164.512(e). Nevertheless, HIPAA further provides that even this limited exception can be trumped by a more stringent state law that prohibits such use or disclosure of PHI.

The appellate court held that under Michigan’s physician-patient privilege, MCL 600.2157, the right to waive the privilege rests solely with the patient. Further, unlike HIPAA, the privilege did not contain exceptions for disclosing patient information in judicial proceedings. The Court concluded that Michigan’s physician-patient privilege conflicted with HIPAA and provided more stringent protections for the PHI at issue. Therefore, the state’s privilege law trumped HIPAA. The Court affirmed the denial of the Center’s discovery motion. In reaching this result, it rejected the Center’s plea that it could not proceed with its non-compete action without the requested information. The Court stated:

To this, we say that it is not our role to address either the wisdom of a physician’s efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses and telephone numbers of non-party patients are protected from disclosure by law.

Health care providers receive requests for PHI in many different contexts, not just in connection with litigations. This ruling makes clear that when making disclosures of PHI, considering only HIPAA could be risky. Because this analysis is not limited to Michigan (see, for example, recent Ohio decisions, Turk v. Oiler and Grove v. Northeast Ohio Nephrology Associates, Inc.), providers should undertake a detailed analysis of the applicable federal, state and local laws and regulations prior to making any disclosure.
 

Tags: , , ,

Keylogging--Jurisdictions at Odds Over Privacy Concerns

Posted on May 13, 2010 by Jason C. Gavejian

Keystroke logging (or “keylogging”) is the noting (or logging) of the keys struck on a computer keyboard. Typically, this is done secretly, so  the keyboard user is unaware his activities are being monitored.

Several cases throughout the country have examined an employer’s use of keylogging.  Recently, the Criminal Court of the City of New York held in New York v. Klapper  that an employer who installed keylogging software on office computers and subsequently monitored an employee's e-mail activity did not, absent some showing of contrary e-mail protections or acceptable use policies, access a computer “without authorization” in violation of New York law. 

In some of the strongest language against the premise of e-mail privacy to date, the Court stated in its April 28, 2010 opinion:

[t]he concept of internet privacy is a fallacy upon which no one should rely. It is today’s reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. 

The Court found that e-mails are more akin to a postcard than a letter, as they are less secure and can easily be viewed by a passerby. An employee who sends an e-mail from a work computer sends a communication that will travel through the employer's central computer and will be commonly stored on the employer's server even after it is received and read. Once stored on the server, the employer can easily scan or read all stored e-mails or data. The same holds true once the e-mail reaches its destination, as it travels through the Internet via an Internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in e-mail communications.

In contrast to the strong language from New York, the U.S. District Court for the Northern District of California ruled in Brahmana v. Lembo that a plaintiff could proceed to trial in his case alleging his employer committed an impermissible “interception” under the Electronic Communications Privacy Act (ECPA) by using keylogging to discover the password to his personal e-mail account, and using the logged password, accessed his personal e-mail.  However, another California District Court found in United States v. Ropp that because the keylogger recorded the keystroke information in transit between the keyboard and the CPU, the system transmitting the information did not affect interstate commerce as the required by the ECPA.  Further complicating the issue, a federal court in Ohio questioned Ropp, suggesting in Porter v. Havlicek that it read the statute too narrowly by requiring the communication to be traveling in interstate commerce as opposed to merely “affecting interstate commerce.”

Because of the numerous issues arising from the use of electronic communications, and the varying court opinions on these questions, employers would do well to reexamine their use of keystroke monitoring or logging technology on a regular basis.

Tags: , , , , , , , , , , , ,