A New Jersey District Court has sanctioned a personal injury plaintiff for spoliation following the plaintiff’s deletion of his Facebook account which defendants were trying to access.  

The defendant’s discovery requests asked for documents or records of “wall posts, comments, status updates or personal information posted or made by plaintiff on Facebook and/or any social media website from 2008 through the present.” Later, the defendant sent forms for plaintiff to execute which would authorize Facebook and other sites to release plaintiff’s information. The plaintiff executed all the authorizations except the one for Facebook.

Plaintiff’s failure to execute the Facebook authorization was raised before the Court and the Court ordered plaintiff to execute the authorization.  Plaintiff agreed to enable access by changing his password to a certain word. Thereafter, defense counsel accessed the account to confirm the password change and printed some of the accounts content.  

The following day, Facebook notified plaintiff of the account access from an unknown IP address in New Jersey. Plaintiff notified his counsel who contacted defense counsel to confirm that the records would be sought from Facebook headquarters. Defense  counsel responded, explaining the account was accessed to confirm the password change but would not be accessed again as the authorization was sent to Facebook.

Facebook responded to the authorization advising that the Stored Communications Act barred it from disclosing the data but suggested having plaintiff download the content himself.    Counsel for the parties agreed that plaintiff would do so and turn over a copy, along with a certification that he had made no changes since he was first ordered to execute the authorization. However, plaintiff’s counsel later advised defendants that plaintiff had deactivated the account and could not reactivate it. The plaintiff claimed he deactivated the account because of the notification he received that unknown people were accessing his account without his permission.

The defendants moved for sanctions claiming that the deletion was intentional as postings contained in the deleted account would have helped refute plaintiff’s damages claim. Defendants based this assertion on content printed from the account prior to deactivation.  The Court rejected plaintiff’s argument that the information contained in the account was not intentionally suppressed and found that even if plaintiff did not intend to deprive defendants of the data, he intentionally deleted the account and thereby failed to preserve relevant evidence.

This case, as well as the case discussed here, provide valuable authority for accessing social media content in litigation. 

Shortly after Utah inked its own law, New Mexico Governor Susana Martinez signed S371 into law on April 5, 2013. Similar to the provisions in other states (such as, California, Illinois, Maryland and Michigan), S371 makes it illegal for employers to request or require applicants to provide a password, or demand access in any manner, to an applicant’s social media account or profile. Unlike some of the laws in other states, the New Mexico statute appears to apply only to prospective employees, but not current employees.

Additionally, S371 makes clear that certain activities by employers are not affected by the law, namely:

  • having electronic communication policies in the workplace addressing internet use, social networking activity and email,
  • monitoring use of the employer’s information systems and networks,
  • using information that is publicly available on the Internet, although as noted in prior posts there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

Following a handful of other states (such as, California, Illinois, Maryland and Michigan), a new Utah labor law places limits on employers’ ability to access the "personal Internet accounts" of employees and applicants. Gov. Gary R. Herbert signed the state’s "Internet Employment Privacy Act" (IEPA) on March 26, 2013, together with the "Internet Postsecondary Institution Privacy Act" applying similar restrictions on postsecondary institutions with respect to their students and prospective students. 

The IEPA prohibits an employer from asking an employee or applicant to disclose the username and password that allows access to his or her "personal Internet account," as well as taking adverse action against the individual for failing to do so. There are some qualifications and exceptions, however.

First, "personal Internet accounts" are defined to mean online accounts that are used by an
employee or applicant "exclusively for personal communications unrelated to any business
purpose of the employer." In fact, the statute specifically excludes accounts that are "created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer." Of course, employees frequently use their personal online accounts for business purposes, so it is unclear how widespread the protections under this new law will be.

Consider that most employees’ LinkedIn or Facebook accounts likely include some business contacts for their current employer, setting up the argument that the account is maintained or used for a business purpose of the employer. Perhaps the practical effect of the law will be to provide greater protection for applicants who seem less likely to have online personal accounts created, maintained, used or accessed for a business purpose of the employer. 

Second, the IEPA sets out some specific exceptions, such as:

  • Employers may request or require employees to provide their usernames and passwords to enable the employer to access company-issued (or paid for, in whole or in part) smartphones and other devices, as well as online accounts provided by the employer.
  • Employers may discipline employees for making unauthorized transfers of proprietary or confidential company information or financial data to the employee’s personal Internet account.
  • Employers also may conduct and require employees to cooperate with certain investigations (such as concerning compliance or work-related employee misconduct) when there is specific information about related activity on the employee’s personal Internet account.
  • Perhaps to address the concerns of those employers who have adopted "BYOD" programs, the law does not prohibit the "monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by, or paid for in whole or in part by, the employer, or stored on an employer’s network, in accordance with state and federal law."
  • Employers also are not prohibited under the law from viewing, accessing, or using information that is publicly available on the Internet, although there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.

Employees and applicants may sue employers for violating this law, but damages are limited to $500 per violation.

This development only highlights the increasing regulation of employee (and applicant) privacy in cyberspace, particularly for multi-state employers where the laws vary significantly. Employers need to keep on top of these developments, and ensure their managers and supervisors have been trained so they know their limitations in attracting, managing and disciplining employees.

In 2012, medical malpractice defendants and their defense attorneys earned the right to petition the court for a qualified protective order that would allow them to interview plaintiffs’ health care providers without the presence of the claimants or their attorneys. At that time, one of the conditions for the order was that it limit the disclosure of any protected health information to the litigation before the court.

That law was amended on March 20, 2013, when Tennessee Gov. Bill Haslam signed S.B. 273. The new law requires the defendants to return or destroy the protected health information obtained under such an order, including all copies, when the litigation ends. This new requirement, similar to the requirement that exists under HIPAA, applies to litigations that begin on and after July 1, 2013. Defendants in these cases – health care providers – will need to be sure they keep track of all this health information they obtain under these orders, including all electronic versions, to ensure they are returned or destroyed as required under the new law.

In response to a massive data breach in 2012 involving over 700,000 people, Utah’s Governor Gary R. Herbert signed a new law (S.B. 20) to ensure Utah residents will be notified of the possibility that their individually identifiable health information may be shared with the eligibility databases for Medicaid and the Children’s Health Insurance Program (CHIP). The law becomes effective July 1, 2013.

To notify residents, the law requires health care providers in the state to include this information in their notices of privacy practices (NPP) that they are required to provide under the HIPAA Privacy Rule. HIPAA-covered health care providers should already be updating their NPPs following the final HIPAA regulations issued in January, although S.B. 20 may require Utah providers to act more quickly in updating their NPPs than is required under the HIPAA final regulations, which has September 23, 2013 compliance date. S.B. 20 also requires Medicare and CHIP to check that the notices are in place, and to deny providers access to their eligibility databases if the notices are not in place. The law also gives the state’s Department of Health the authority to develop model language for the NPP.

Because of the seriousness of the breach, S.B. 20 also lays the groundwork to assemble a group that will be charged with establishing best practices for data security. Utah providers will need to monitor this development closely, particularly if the "best practices" create standards that are more stringent than those under the HIPAA privacy and security regulations.  

One of the more common issues faced by healthcare practices (and businesses generally) is how to respond to subpoenas or other requests for medical records of patients and employees. Those who receive these requests often feel compelled to respond in a timely fashion, particularly when it is an attorney subpoena or letter. Unfortunately, responses are made before fully considering critical legal and professional risks.

Consider the following examples:

  • A New Jersey physician was forced to defend his access to family medical records without consent or authorization before the New Jersey Board of Medical Examiners resulting in defense costs and ultimately continuing education requirements for the physician;
  • An Illinois hospital incurred significant legal fees to defend its disclosure of medical records in connection with the plaintiff’s divorce action.
  • Ohio’s Cleveland Clinic could not convince a federal district court to dismiss a patient’s claim for invasion of privacy following the clinic’s disclosure of medical records to a grand jury in response to a subpoena. The court found the state’s patient-physician privilege more protective than HIPAA. Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010).
  • An Alabama patient’s claim that his physician impermissibly disclosed his medical records to his employer survived a motion for summary judgment because the physician made the disclosure without having received a written request, as required under state law.
  • In Wisconsin, a pharmacist was sued after disclosing an employee’s prescription history to his employer. The pharmacist’s ignorance of the states privacy laws and the employee’s attorneys false pretenses to obtain the information were not a sufficient defense. The court found the release was knowing and willful and held the pharmacist must be familiar with the technical requirements for releasing patient data.
  • A Court held another New Jersey doctor liable when he released a patient’s records to opposing counsel pursuant to an improper subpoena, even though the subpoena’s defects were of a technical nature. Again, the Court required the doctor to know the laws regarding patient privacy, specifically noting it was the doctor’s burden to consult with legal counsel to ensure the release is proper. Crescenzo v. Crane, 350 N.J. Super. 531 (App. Div. 2002), cert. den. 174 N.J. 364 (2002).

Responding to these requests often is a delicate balance between avoiding being hauled into court for non-compliance with the subpoena/request and violating patient rights, such as by responding to a subpoena that may be improper or invalid, or otherwise failing to take into account applicable federal and state requirements before releasing the records.

Some of the most common issues which must be considered are:

  1. What type of information is contained within the records requested?
  2. What statutory, regulatory or common law protections apply to some or all of the information requested, such as the patient-physician privilege?
  3. Is the authorization valid?
  4. Whether responding to the subpoena is appropriate without patient authorization or providing the patient an opportunity to object to the disclosure?
  5. Is a court order, including an order with specific findings, needed for some or all of the responsive information?
  6. Is the requesting party authorized to be acting for the individual/patient/employee?
  7. What safeguards should be taken to ensure the disclosure is made in a secure manner?
  8. Must the business keep a record/account for the disclosure?

As more and more individuals, entities and attorneys seek medical information, including through discovery in litigation, these issues will only become more prevalent. Most healthcare practices look to HIPAA as the governing law that determines the proper use and disclosure of patient data, but state laws and professional obligations also must also be considered. Under HIPAA, a covered entity generally may not use or disclose an individual’s protected health information without a written authorization or providing the individual the opportunity to agree or object. There are, however, a number of thorny exceptions, such as for requests made in the course of judicial or administrative proceedings, or disclosures to law enforcement.

Nevertheless, HIPAA generally provides that these exceptions can be trumped by more stringent state laws that prohibit uses or disclosures of PHI without certain additional protections. In fact, courts routinely look to not only generally applicable state statutory requirements, but also protections under the "common law." This fact has been highlighted in decisions from courts throughout the country, as well as decisions by state boards of medical examiners, including those summarized above. In addition to fines and penalties which can be extensive, the cost of litigation to defend these suits can run into the tens of thousands of dollars, all for “simply” responding to what appears to be a lawfully issued subpoena or request.

Medical offices, clinics and practices, in particular, need to have a comprehensive, easy to understand plan that addresses what to do when staff receive requests for patient records. The plan should anticipate the kinds of requests that are likely to be received and the acceptable responses, including approved form documents to be used, as well as a means for documenting the request, verification steps taken and the response. Of course, the plan should alert the user to situations where additional guidance might be advisable to ensure the disclosure itself is proper, as well as the method of disclosure. 

In this case (Doe v Guthrie Clinic, Ltd, March 25, 2013), the Second Circuit Court of Appeals (covering New York, Connecticut and Vermont) is asking New York’s highest court to determine whether the common law permits a medical corporation to be sued for a breach of the fiduciary duty of confidentiality concerning patient medical records when a non-physician employee makes an unauthorized disclosure of those records. The position the New York Court of Appeals takes will be watched closely by health care providers across the Empire State as the requirements for securing patient data continue to tighten with, among other things, the final HIPAA regulations being issued under HITECH this past January.

Here, Doe (patient) sued Guthrie Clinic because one of the clinic’s nurses (and sister-in-law of Doe’s girlfriend) texted Doe’s girlfriend about Doe’s treatment for a sexually transmitted disease (STD). All of the patient’s claims, including a claim for common law breach of fiduciary duty to maintain the confidentiality of personal health information, were dismissed by the lower court. Doe appealed the dismissal to the Second Circuit. 

The federal appellate court reversed the dismissal of the fiduciary breach claim, noting that New York courts have not addressed this situation. That is, there are no decisions in New York that specifically address whether a medical practice could be liable under a breach of fiduciary duty theory when its non-physician employee wrongfully discloses confidential medical information. Employers in New York generally are liable for the foreseeable actions of their employees which are within the scope of employment, but usually not when those actions are driven by personal reasons of the employee.

Under the facts in this case, New York’s high court may find no cause of action exists, leaving patients/plaintiffs with one less avenue to sue. The risks and exposures remain, however, for health care providers who will incur significant costs defending these actions in court and addressing complaints before state and federal agencies. Strong policies and employee training  will not prevent patient claims and complaints, but they will help to put providers in a better position to defend their actions.

Unwilling to wait for Congress to act, President Obama signed an executive order on Feb. 12, 2013, the same date that he delivered the State of the Union address. The executive order directs certain federal agencies to develop voluntary standards for achieving cybersecurity, an effort to be led, in part, by the National Institute of Standards and Technology, a component of the Commerce Department.

Citing national security concerns, the President’s order seeks cooperation and collaboration with the private sector. It is unclear at this point how far the "voluntary" standards will reach, or how much the President can force compliance absent Congressional action. However, once in place, companies may feel compelled to comply in order to remain competitive and to ensure a stronger defensible position in litigation involving lapses in security of critical data. 

The National Health Service, which represents a significant part of the United Kingdom’s government-run health system, is looking to go paperless. In the process, as part of its "Everyone Counts" initiative, it has plans to require doctors to turn over to NHS significant amounts of patient data. (Read more about NHS’ plan).  For example, NHS providers would be required to turn over a patient’s NHS number, date of birth, gender, post code, ethnicity code and date of death, among other data elements including diagnosis code, smoking status, alcohol use and so on.

Just as concerns in the U.S. led to the HIPAA privacy and security regulations, the Guardian is reporting privacy advocates in the UK are concerned about this collection of personal health information by the government. And there are reasons for concern – it has been reported that for the 12-month period ending July 2012, NHS had 16 breaches that exposed 1.8 million health records. It remains to be seen how secure this information will be.