Search right to access

Recently, Virginia Gov. Terry McAuliffe (D) signed a bill that limits employer access to the personal social media accounts of employees and job applicants.  The law, which takes effect on July 1, 2015 prohibits employers in Virginia from requiring, requesting, or causing a current or prospective employee to disclose the username and password to the individual’s social media account.  Additionally, the law also prohibits employers from requiring an employee to add another employee, a supervisor, or an administrator to the list or contacts associated with the individual’s social media account or changing the privacy settings.  We have prepared a detailed article discussing the new law.

In 2012, Maryland was the first state to prohibit employers from demanding social media passwords.  In a trend that is likely to continue, Virginia now becomes the 19th state to implement a workplace social media password privacy law.

As we previously reported, sending a “friend” request to access information on an individual’s Facebook page that is not publicly available may have serious ethical implications.  Specifically, the New Jersey Office of Attorney Ethics (OAE) alleges John Robertelli and Gabriel Adamo violated the Rules of Professional Conduct, including those governing communications with represented parties, when they caused a paralegal to “friend” the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page.

In an attempt to end the disciplinary action against them, the attorneys brought a declaratory judgment action against the state ethics authorities for lack of subject matter jurisdiction.  Today, an appeals panel upheld the dismissal of that declaratory judgment action, finding that only the New Jersey Supreme Court can decide the appropriateness of bringing an ethic’s case.  As such, the matter returns to the OAE for decision and/or further proceedings.

This case highlights the need for care when conducting investigations into an adverse party and the limits on accessing truly non-public information contained in social media.

The United States Equal Employment Opportunity Commission (EEOC) recently held a meeting to gather information about the growing use of social media and how it impacts the laws the EEOC enforces.

During the meeting, a panel representative from the Society for Human Resource Management (SHRM) explained that employers use different types of social media for various reasons, including: employee engagement and knowledge-sharing; marketing to clients and potential customers; crisis management; and recruitment and hiring.

Others noted that while social media has benefits and can be a valuable tool, the improper use of information obtained from such sites may be discriminatory since most individuals’ race, gender, age, disability, and possibly ethnicity can be discerned from information on social media sites.  This is especially important in states which have prohibited employers from requesting access to employees’ or potential employees’ social media accounts.

Perhaps the most telling area discussed during the meeting was the increased use of social media as a source of discovery in employment discrimination litigation.  While there appears to be no dispute that public social media content is accessible by all, a Senior Trial Attorney in the EEOC’s Denver Field Office warned that the increased effort to access potentially aggrieved persons private social media communications may have a chilling effect on persons seeking to exercise their rights under federal anti-discrimination laws.

The EEOC has often taken the position that social media content is not relevant, while many employers have utilized social media to gain valuable discovery, especially with regard to emotional distress damages.  The EEOC’s position is now being mirrored at the state level where plaintiffs assert that their social media content is not relevant.  However, defendants (often employers) have benefited from obtaining social media content to dispute a plaintiff’s claims, especially when the defendant is able to demonstrate the relevant nature of social media content to the litigation.

Social media, and especially the discovery of same, is one of the most important and ever evolving areas of employment law.  Litigants, and employers must be prepared for the nuances associated with social media and the current standing of the law in the local  jurisdiction.

Nevada becomes the 12th state to restrict an employer’s access to employee and prospective employee personal social media accounts. Learn more about the law; it takes effect on October 1, 2013.

The other states are Arkansas, Colorado, New Mexico, Oregon, Utah, Vermont and Washington, which adopted similar laws this year, and California, Illinois, Maryland, and Michigan, which did so in 2012. Click here for more information about these laws.  

In a case reflecting the challenges faced by institutions of higher education in trying to prevent violence on campus, a judge in the U.S. District Court for the Eastern District of Pennsylvania declined to dismiss claims against Widener University by a former student under the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) for accessing the student’s Facebook account without permission. Rodriguez v. Widener University, No. 13-1336 (E. D. Pa. June 17, 2013).

According to the court, friction between Rodriguez, a Navy veteran enrolled in a pre-med program, and the University apparently began when Rodriguez had a disagreement with his faculty adviser about creationism. Rodriguez was subsequently summoned to the Deans’ office where he was confronted with printed images from his Facebook account and an email that he had allegedly sent to 48 widener.edu addresses in which he said that he had recently been detained in a psychiatric ward in North Carolina and further stated:

"I am moving and operating in a cold-fury….I have been harassed about there being a God, and I can’t make anyone agree with me, but I promise you that my belief is the only thing keeping me from doing a significant amount of damage to a small town in NC; property, police and public citizens, all of which treated me lower than dirt…"

On his Facebook page, where he referred to himself as "Broseidon Steele," he had allegedly written, "I am Superman; and there’s no such thing as Kryptonite… Finally after years of patiently waiting, I will show you how to weapon eyes [sic]" and posted photographs of firearms. The University suspended Rodriguez in part due to the images of firearms and sent him for an involuntary mental health evaluation. He was also searched and allegedly found to possess a knife and some marijuana. According to the Court’s decision, after being committed involuntarily for seven days, during which time he missed an award ceremony and medical school admissions interview, Rodriguez was cleared to return to school.

Rodriguez sued the University under various legal theories including deprivation of his constitutional rights under 42 U.S.C. Sections 1983 and 1985, violation of the ECPA, violation of the SCA, violation of the Rehabilitation Act, and a state law claim of invasion of privacy. The Court dismissed most of his claims, but allowed Rodriguez to proceed on the ECPA and SCA counts to the extent they were based on the allegation that the defendants improperly accessed his Facebook images because they were not generally available to the public. Rodriguez also claimed the University had improperly accessed his email account, but since the email was sent to one of the individually-named defendants, the Court held that there was no improper access. Rodriguez also alleged that the University obtained information from his medical providers without authorization but the court did not address that part of his claim in its decision. It was not clear from the record how Defendants obtained access to Rodriguez’s private Facebook account, but the decision suggests a greater willingness by the courts to apply the provisions of the ECPA and SCA in situations where institutions or employers gather electronic  information without authorization.

 

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state’s common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments.  After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal."  The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930’s.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort’s purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public – in essence to define his public persona."  The court went on to note that, "[w]hile this restriction may have made sense in the 1890’s – when no one dreamed of talk radio or confessional television – it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee’s medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.

One of the more common issues faced by healthcare practices (and businesses generally) is how to respond to subpoenas or other requests for medical records of patients and employees. Those who receive these requests often feel compelled to respond in a timely fashion, particularly when it is an attorney subpoena or letter. Unfortunately, responses are made before fully considering critical legal and professional risks.

Consider the following examples:

  • A New Jersey physician was forced to defend his access to family medical records without consent or authorization before the New Jersey Board of Medical Examiners resulting in defense costs and ultimately continuing education requirements for the physician;
  • An Illinois hospital incurred significant legal fees to defend its disclosure of medical records in connection with the plaintiff’s divorce action.
  • Ohio’s Cleveland Clinic could not convince a federal district court to dismiss a patient’s claim for invasion of privacy following the clinic’s disclosure of medical records to a grand jury in response to a subpoena. The court found the state’s patient-physician privilege more protective than HIPAA. Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010).
  • An Alabama patient’s claim that his physician impermissibly disclosed his medical records to his employer survived a motion for summary judgment because the physician made the disclosure without having received a written request, as required under state law.
  • In Wisconsin, a pharmacist was sued after disclosing an employee’s prescription history to his employer. The pharmacist’s ignorance of the states privacy laws and the employee’s attorneys false pretenses to obtain the information were not a sufficient defense. The court found the release was knowing and willful and held the pharmacist must be familiar with the technical requirements for releasing patient data.
  • A Court held another New Jersey doctor liable when he released a patient’s records to opposing counsel pursuant to an improper subpoena, even though the subpoena’s defects were of a technical nature. Again, the Court required the doctor to know the laws regarding patient privacy, specifically noting it was the doctor’s burden to consult with legal counsel to ensure the release is proper. Crescenzo v. Crane, 350 N.J. Super. 531 (App. Div. 2002), cert. den. 174 N.J. 364 (2002).

Responding to these requests often is a delicate balance between avoiding being hauled into court for non-compliance with the subpoena/request and violating patient rights, such as by responding to a subpoena that may be improper or invalid, or otherwise failing to take into account applicable federal and state requirements before releasing the records.

Some of the most common issues which must be considered are:

  1. What type of information is contained within the records requested?
  2. What statutory, regulatory or common law protections apply to some or all of the information requested, such as the patient-physician privilege?
  3. Is the authorization valid?
  4. Whether responding to the subpoena is appropriate without patient authorization or providing the patient an opportunity to object to the disclosure?
  5. Is a court order, including an order with specific findings, needed for some or all of the responsive information?
  6. Is the requesting party authorized to be acting for the individual/patient/employee?
  7. What safeguards should be taken to ensure the disclosure is made in a secure manner?
  8. Must the business keep a record/account for the disclosure?

As more and more individuals, entities and attorneys seek medical information, including through discovery in litigation, these issues will only become more prevalent. Most healthcare practices look to HIPAA as the governing law that determines the proper use and disclosure of patient data, but state laws and professional obligations also must also be considered. Under HIPAA, a covered entity generally may not use or disclose an individual’s protected health information without a written authorization or providing the individual the opportunity to agree or object. There are, however, a number of thorny exceptions, such as for requests made in the course of judicial or administrative proceedings, or disclosures to law enforcement.

Nevertheless, HIPAA generally provides that these exceptions can be trumped by more stringent state laws that prohibit uses or disclosures of PHI without certain additional protections. In fact, courts routinely look to not only generally applicable state statutory requirements, but also protections under the "common law." This fact has been highlighted in decisions from courts throughout the country, as well as decisions by state boards of medical examiners, including those summarized above. In addition to fines and penalties which can be extensive, the cost of litigation to defend these suits can run into the tens of thousands of dollars, all for “simply” responding to what appears to be a lawfully issued subpoena or request.

Medical offices, clinics and practices, in particular, need to have a comprehensive, easy to understand plan that addresses what to do when staff receive requests for patient records. The plan should anticipate the kinds of requests that are likely to be received and the acceptable responses, including approved form documents to be used, as well as a means for documenting the request, verification steps taken and the response. Of course, the plan should alert the user to situations where additional guidance might be advisable to ensure the disclosure itself is proper, as well as the method of disclosure.