In addition to requirements to safeguard increasingly vast amounts of patient data, healthcare providers also need to be mindful of when that data can be used and disclosed. One key challenge in that area is understanding whether state or federal law applies. The U.S. Eleventh Circuit Court of Appeals (which covers Florida, Georgia, and Alabama), held that the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law, Section 400.145, that allowed for the release of medical records of deceased residents of nursing homes to specified individuals without prior authorization. Opis Management Resources, LLC et al. v. Secretary Florida Agency for Health Care Administration.

The plaintiffs, comprised of several nursing home facilities, filed suit in federal district court challenging the Florida Agency for Health Care Administration’s (“AHCA”) citations to the facilities for their refusal to disclose deceased residents’ medical records to surviving spouses, family members, and attorneys-in-fact who were not personal representatives under the relevant HIPAA provisions. The nursing homes asked a federal district court judge to declare that Florida Statute § 400.145 was preempted by HIPAA. The district (trial) court granted summary judgment in favor of the nursing facilities finding that the Florida law provided nursing home residents less protection than required under HIPAA.

On appeal, the Eleventh Circuit affirmed the district court’s grant of summary judgment concluding that Section 400.145

impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual’s protected health information confidential.

As the court explained, HIPAA includes a preemption clause providing that HIPAA supersedes any contrary state law provision, including any state law which “stands as an obstacle to the accomplishment and execution of [HIPAA’s] full purposes and objectives.” In other words, if a state law provides for less stringent protection than that already provided by HIPAA, it is preempted or superseded by HIPAA. HIPAA, however, does not preempt state laws providing more stringent protections.

Since 2000, the federal Department of Health and Human Services has issued extensive regulations, known as the Privacy Rule, that establish procedures by which protected health information (“PHI”) may be used or disclosed by a covered entity or business associate. Under the most recent set of regulations issued in January, HIPAA protection of PHI for deceased individuals remains in effect for a period of fifty (50) years after the individual’s death. The Privacy Rule further provides that PHI may be disclosed to a personal representative (one who under applicable state law is an executor, administrator or other individual with the authority to act on behalf of a deceased person or the individual’s estate). Additionally, a covered entity may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. In such a case, PHI of the deceased can be released to the extent it is relevant to such person’s involvement in the care or payment for the care.

Section 400.145, Florida Statutes, provides in pertinent part that “[u]nless expressly prohibited by a legally competent resident, any nursing home licensed pursuant to this part shall furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a current resident, . . . or of a former resident, . . . a copy of that resident’s records which are in the possession of the facility.” The court found that although the statute lists a number of individuals to whom records could be disclosed, it “does not empower or require an individual to act on behalf of a deceased resident,” and, therefore, does not identify any of those individuals to qualify as personal representatives under HIPAA. Therefore, the statute provides a much broader class of individuals than under HIPAA to whom the deceased’s PHI may be disclosed without authorization. Additionally, the Florida statute does not contain the same limitations or restrictions as the Privacy Rule with regard to releasing PHI of a deceased individual to those involved in the individual’s care or who paid for it and only to the extent the information is relevant to the person’s involvement or payment. Accordingly, the court found HIPAA provided more stringent protections of PHI than the Florida statute and held HIPAA preempts Section 400.145.

In the face of increasing incidences of and rising public concern regarding identity theft, the California Legislature is considering a bill with new personal information data disclosure requirements for California businesses and a broad definition of what constitutes personal information.

California Assembly Bill 1291, would require businesses who have customer personal information and have disclosed such information to provide each such customer with notice of the names and contact information of all third parties who received personal information from the business and provide a designated request address at which to receive requests from customers as provided for under the bill. Additionally, the business must make available, free of charge, access to or copies of all of the customer’s personal information that the business holds. Also, if the business has any online privacy policies, each privacy policy must also include a statement of the customer’s rights as provided in the legislation and a designated request address.

Personal information broadly includes, but is not limited to, any of the following: (1) identity information such as real name, alias, nickname, and user name; (2) address information, including but not limited to, postal address, e-mail, internet protocol address; (3) telephone number; (4) account name; (5) social security number or other government-issued identification number, such as a driver’s license number, identification card number, and passport number; (6) birthdate or age; (7) physical characteristic information such as height and weight; (8) sexual information, including but not limited to, sexual orientation, sex, gender status, gender identity, and gender expression; (9) race or ethnicity; (10) religious affiliation or activity; (11) political affiliation or activity; (12) professional or employment-related information; (13) educational information; (14) medical information; (15) financial information; (16) commercial information; (17) location information; (18) internet or mobile activity information; (19) content including text, photographs, audio or video recordings, or other material generated by or provided by the customer; and (20) any of the above information as it relates to the customer’s children.

Customer is defined as an individual who is a resident of California and provides personal information to a business “in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the business including advertising or any other content.” Customers also include individuals for whom the business obtained personal information from another business. Accordingly, the bill would cover individuals who are not traditionally thought of as customers and may also include a business’ employees.

All businesses, including employers, with operations in California or with California customers must stay abreast of these developments and, given the breadth of personal information implicated, no such business can be exempt from the requirements. In preparation for the passing of this or a similar bill, it is important to determine how customer personal information is disclosed and set forth a compliance plan to meet the pending disclosure and access requirements.

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state’s common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments.  After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal."  The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930’s.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort’s purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public – in essence to define his public persona."  The court went on to note that, "[w]hile this restriction may have made sense in the 1890’s – when no one dreamed of talk radio or confessional television – it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee’s medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.

A New Jersey District Court has sanctioned a personal injury plaintiff for spoliation following the plaintiff’s deletion of his Facebook account which defendants were trying to access.  

The defendant’s discovery requests asked for documents or records of “wall posts, comments, status updates or personal information posted or made by plaintiff on Facebook and/or any social media website from 2008 through the present.” Later, the defendant sent forms for plaintiff to execute which would authorize Facebook and other sites to release plaintiff’s information. The plaintiff executed all the authorizations except the one for Facebook.

Plaintiff’s failure to execute the Facebook authorization was raised before the Court and the Court ordered plaintiff to execute the authorization.  Plaintiff agreed to enable access by changing his password to a certain word. Thereafter, defense counsel accessed the account to confirm the password change and printed some of the accounts content.  

The following day, Facebook notified plaintiff of the account access from an unknown IP address in New Jersey. Plaintiff notified his counsel who contacted defense counsel to confirm that the records would be sought from Facebook headquarters. Defense  counsel responded, explaining the account was accessed to confirm the password change but would not be accessed again as the authorization was sent to Facebook.

Facebook responded to the authorization advising that the Stored Communications Act barred it from disclosing the data but suggested having plaintiff download the content himself.    Counsel for the parties agreed that plaintiff would do so and turn over a copy, along with a certification that he had made no changes since he was first ordered to execute the authorization. However, plaintiff’s counsel later advised defendants that plaintiff had deactivated the account and could not reactivate it. The plaintiff claimed he deactivated the account because of the notification he received that unknown people were accessing his account without his permission.

The defendants moved for sanctions claiming that the deletion was intentional as postings contained in the deleted account would have helped refute plaintiff’s damages claim. Defendants based this assertion on content printed from the account prior to deactivation.  The Court rejected plaintiff’s argument that the information contained in the account was not intentionally suppressed and found that even if plaintiff did not intend to deprive defendants of the data, he intentionally deleted the account and thereby failed to preserve relevant evidence.

This case, as well as the case discussed here, provide valuable authority for accessing social media content in litigation. 

Shortly after Utah inked its own law, New Mexico Governor Susana Martinez signed S371 into law on April 5, 2013. Similar to the provisions in other states (such as, California, Illinois, Maryland and Michigan), S371 makes it illegal for employers to request or require applicants to provide a password, or demand access in any manner, to an applicant’s social media account or profile. Unlike some of the laws in other states, the New Mexico statute appears to apply only to prospective employees, but not current employees.

Additionally, S371 makes clear that certain activities by employers are not affected by the law, namely:

  • having electronic communication policies in the workplace addressing internet use, social networking activity and email,
  • monitoring use of the employer’s information systems and networks,
  • using information that is publicly available on the Internet, although as noted in prior posts there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

Following a handful of other states (such as, California, Illinois, Maryland and Michigan), a new Utah labor law places limits on employers’ ability to access the "personal Internet accounts" of employees and applicants. Gov. Gary R. Herbert signed the state’s "Internet Employment Privacy Act" (IEPA) on March 26, 2013, together with the "Internet Postsecondary Institution Privacy Act" applying similar restrictions on postsecondary institutions with respect to their students and prospective students. 

The IEPA prohibits an employer from asking an employee or applicant to disclose the username and password that allows access to his or her "personal Internet account," as well as taking adverse action against the individual for failing to do so. There are some qualifications and exceptions, however.

First, "personal Internet accounts" are defined to mean online accounts that are used by an
employee or applicant "exclusively for personal communications unrelated to any business
purpose of the employer." In fact, the statute specifically excludes accounts that are "created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer." Of course, employees frequently use their personal online accounts for business purposes, so it is unclear how widespread the protections under this new law will be.

Consider that most employees’ LinkedIn or Facebook accounts likely include some business contacts for their current employer, setting up the argument that the account is maintained or used for a business purpose of the employer. Perhaps the practical effect of the law will be to provide greater protection for applicants who seem less likely to have online personal accounts created, maintained, used or accessed for a business purpose of the employer. 

Second, the IEPA sets out some specific exceptions, such as:

  • Employers may request or require employees to provide their usernames and passwords to enable the employer to access company-issued (or paid for, in whole or in part) smartphones and other devices, as well as online accounts provided by the employer.
  • Employers may discipline employees for making unauthorized transfers of proprietary or confidential company information or financial data to the employee’s personal Internet account.
  • Employers also may conduct and require employees to cooperate with certain investigations (such as concerning compliance or work-related employee misconduct) when there is specific information about related activity on the employee’s personal Internet account.
  • Perhaps to address the concerns of those employers who have adopted "BYOD" programs, the law does not prohibit the "monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by, or paid for in whole or in part by, the employer, or stored on an employer’s network, in accordance with state and federal law."
  • Employers also are not prohibited under the law from viewing, accessing, or using information that is publicly available on the Internet, although there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

Employees and applicants may sue employers for violating this law, but damages are limited to $500 per violation.

This development only highlights the increasing regulation of employee (and applicant) privacy in cyberspace, particularly for multi-state employers where the laws vary significantly. Employers need to keep on top of these developments, and ensure their managers and supervisors have been trained so they know their limitations in attracting, managing and disciplining employees.

In 2012, medical malpractice defendants and their defense attorneys earned the right to petition the court for a qualified protective order that would allow them to interview plaintiffs’ health care providers without the presence of the claimants or their attorneys. At that time, one of the conditions for the order was that it limit the disclosure of any protected health information to the litigation before the court.

That law was amended on March 20, 2013, when Tennessee Gov. Bill Haslam signed S.B. 273. The new law requires the defendants to return or destroy the protected health information obtained under such an order, including all copies, when the litigation ends. This new requirement, similar to the requirement that exists under HIPAA, applies to litigations that begin on and after July 1, 2013. Defendants in these cases – health care providers – will need to be sure they keep track of all this health information they obtain under these orders, including all electronic versions, to ensure they are returned or destroyed as required under the new law.

In response to a massive data breach in 2012 involving over 700,000 people, Utah’s Governor Gary R. Herbert signed a new law (S.B. 20) to ensure Utah residents will be notified of the possibility that their individually identifiable health information may be shared with the eligibility databases for Medicaid and the Children’s Health Insurance Program (CHIP). The law becomes effective July 1, 2013.

To notify residents, the law requires health care providers in the state to include this information in their notices of privacy practices (NPP) that they are required to provide under the HIPAA Privacy Rule. HIPAA-covered health care providers should already be updating their NPPs following the final HIPAA regulations issued in January, although S.B. 20 may require Utah providers to act more quickly in updating their NPPs than is required under the HIPAA final regulations, which has September 23, 2013 compliance date. S.B. 20 also requires Medicare and CHIP to check that the notices are in place, and to deny providers access to their eligibility databases if the notices are not in place. The law also gives the state’s Department of Health the authority to develop model language for the NPP.

Because of the seriousness of the breach, S.B. 20 also lays the groundwork to assemble a group that will be charged with establishing best practices for data security. Utah providers will need to monitor this development closely, particularly if the "best practices" create standards that are more stringent than those under the HIPAA privacy and security regulations.