Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
49 F. State Privacy Laws Applicable to State and Local Agencies Some states have enacted the equivalent of the Federal Privacy Act that is discussed in Appendix A. For example, the California statute governs the collection, use, and disclosure of personal informa- tion held by state agencies; the statute does not apply to city or county agencies.513 Other states have laws similar to the Federal Privacy Act.514 In Virginia, the statute applies to any agency or gov- ernmental entity of the Commonwealth, as well as counties, cities, or other units of local government. Moreover, an agency includes âany entity, whether public or private, with which any of the foregoing has entered into a contractual relation- ship for the operation of a system of personal in- formation to accomplish an agency function.â515 G. State Public Records Disclosure Laws Public records disclosure laws may apply to state agencies,516 as well as to local govern- ments.517 In general, the federal and state FOIAs and public records disclosure laws exempt health information from disclosure.518 In California, the 513 CAL. CIV. CODE §§ 1798.3 and 1798.14 (2013) and CAL. GOVâT CODE § 6252(a) (2013) (defining local agency to mean âa county; city, whether general law or char- tered; city and county; school district; municipal corpo- ration; district; political subdivision; or any board, commission or agency thereof; other local public agency; or entities that are legislative bodies of a local agency pursuant to subdivisions (c) and (d) of Section 54952â). 514 Indiana Fair Information Practices Act, IC §§ 4-1- 6-1 to 4-1-6-8 (2013). See also, IND. CODE ANN. § 4-1-6- 19(d) (2013) (defining state agency); Massachusetts Fair Information Practices Act, MASS. GEN. LAWS ch 66A, §§ 1-3 (2013) (imposing duties on state agencies regarding personal data they maintain); N.Y. PUB. OFF. LAW § 95 (2013); Government Data Collection and Dissemination Practices Act, VA. CODE ANN. §§ 2.2-3800 and 2.2- 3801(2) (2013). 515 VA. CODE ANN. § 2.2-3801 (2013). 516 Massachusetts Freedom of Information Act, MASS. GEN. LAWS ch. 4, § 7, cl. 26 (2013) (government- maintained medical files and information not âpublic recordsâ open to inspection). 517 Illinois Freedom of Information Act, 5 ILL. COMP. STAT. 140/2 (2013). 518 5 ILL. COMP. STAT. 140/7(c) (2013) (exempting from disclosure â[p]ersonal information contained within public records, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy, unless the disclosure is consented to in writing by the individual subjects of the informationâ and stating that ââunwarranted invasion of personal privacyâ means the disclosure of information that is highly personal or ob- California Public Records Act and the Information Practices Act of 1977 (IPA) govern how state and local agencies may use and disclose personal in- formation including medical information. The IPA does not apply to city and county agencies.519 Un- der the IPA agencies may not disclose medical information unless an individual has voluntarily consented in writing.520 Moreover, medical infor- mation may be exempt from disclosure under the Public Records Act if a disclosure would constitute an unwarranted invasion of personal privacy.521 In sum, state public records disclosure statutes tend to have an exception that precludes the pro- duction of health records without an individualâs consent. XVII. CIVIL ACTIONS AT COMMON LAW FOR HEALTH PRIVACY VIOLATIONS A. Tort Actions Under State Common Law Some courts recognize that there is a common law duty to secure another personâs confidential information.522 One source argues that â[s]tate common law provides broader protections against the disclosure of health information and affords patients a right of access to their own health in- formation.â523 Articles typically discuss common jectionable to a reasonable person and in which the sub- jectâs right to privacy outweighs any legitimate public interest in obtaining the informationâ); Md. Public In- formation Act, MD. CODE ANN., State Government § 10- 616 (2013) (stating that with respect to hospital records a custodian shall deny inspection of a hospital record that â(1) relates to ⦠(iii) medical care; or (iv) other medical informationâ¦.â); N.Y. PUB. OFF. LAW § 87(2)(b) (2013) (providing that an âagency may deny access to records or portions thereof thatâ¦if disclosed would con- stitute an unwarranted invasion of personal privacy under the provisions ofâ¦this articleâ and that â[a]n unwarranted invasion of personal privacy includes, but shall not be limited toâ¦disclosure of items involving the medical or personal records of a client or patient in a medical facilityâ¦.â). See also New Yorkâs Personal Privacy Protection Law, N.Y. PUB. OFF. LAW §§ 91 and 96 (2013). 519 CAL. CIV. CODE §§ 1798.3 and 1798.14 (2013) and CAL. GOVâT CODE § 6252 (2013). 520 Id. § 1798.24 (2013). 521 CAL. GOVâT CODE § 6254 (2013) and CAL. CIV. CODE § 1798.24(g) (2013). 522 Pasternack, supra note 8, at 831 (citing Thomas J. Smedinghoff, The Emerging Law of Data Security: A Focus on the Key Legal Trends, 934 PRACTISING LAW INSTITUTE 13, 22 (2008)). 523 Pritts, supra note 417, at 330.
50 law claims in the context of claims against health care providers, such as for invasion of privacy, express or implied breach of contract, breach of fiduciary relationship, and other claims discussed herein.524 In general, HIPAA does not preempt state causes of action for a violation of the confi- dentiality or privacy of medical records.525 No transit agency reported that it had been sued concerning its receipt or handling of health information on its clients. No cases were located in which a transit agency has been sued for al- leged improper disclosures of a patronâs health information. Nevertheless, as discussed hereafter, there are some privacy cases against persons or entities in which the courts agreed that the plain- tiff or plaintiffs stated a claim for invasion of pri- vacy of health information. B. Invasion of Privacy Using the Restatement (3d) of Torts (Restate- ment) as a guide, there are at least four causes of action that may apply to an unauthorized and im- permissible use or disclosure of health informa- tion: public disclosure of private facts; intrusion upon seclusion; misappropriation; and false light.526 Claimants alleging invasion of privacy often assert other claims such as for negligence, infliction of emotional distress, or breach of fidu- ciary duty527 or for breach of contract, all of which are discussed hereafter.528 1. Public Disclosure of Private Facts Although a remedy for disclosure of health in- formation at common law is said to be âdiffi- cult,â529 there are states such as Colorado and Minnesota that recognize âthe tort of invasion of privacy based on unreasonable public disclosure 524 Id. at 330â31 (citing Horne v. Patton, 287 So. 2d 824 (Ala. 1974); MacDonald v. Clinger, 84 A.D. 2d 482, 446 N.Y.S.2d 801, 802 (N.Y. App. Div. 1982)). 525 Wright v. Combined Ins. Co. of America, 959 F. Supp. 356 (N.D. Miss. 1997) (holding that HIPAA did not preempt state law causes of action); OâDonnell v. Blue Cross Blue Shield of Wyoming, 173 F. Supp. 2d 1176 (D. Wyo. 2001) (holding that HIPAA did not pre- empt state law claims for breach of contract, estoppel, misrepresentation, and bad faith); Cowan v. Combined Ins. Co. of America, 67 F. Supp. 2d 1312 (M.D. Ala. 1999) (holding that HIPAA did not preempt state law claims against an insurer for fraud, breach of contract, breach of fiduciary duty, and outrage). 526 Ayres, supra note 42, at 994 (footnote omitted). 527 See Section XVII.C of this digest. 528 See Section XVII.D of this digest 529 Pritts, supra note 417, at 331. of private facts.â530 To be actionable a disclosure has to reveal ââunpleasant or disgraceful or hu- miliating illnessesâ or âhidden physical or psychi- atric problems.ââ531 A tort action for public disclo- sure is unlikely to succeed if the injury from the disclosure is minimal.532 It appears that most ju- risdictions require that a disclosure was made to the general public, âusually through the media.â533 Several cases have considered what satisfies the publicity requirement. For example, in Grant v. United States534 the court dismissed the plaintiffâs claim for a breach of his right of privacy for public disclosure of pri- vate facts. The court held that the tort required a disclosure that was âtantamount to publicityâ but that the defendants only disclosed the plaintiffâs health information to the attorney of one of the defendants.535 In Doe v. Brundage-Bone Concrete Pumping, Inc.,536 in which a hospital billing clerk disclosed plaintiffâs sensitive health records only to the defendantâs manager, the court held that a disclosure to a âlimited number of co-workersâ is not a publication.537 In Watkins v. Cornell Compa- nies, Inc.538 the plaintiffs alleged that the defen- dant violated the plaintiffsâ common law right to privacy when the defendantâs employees filmed the plaintiffs in violation of the defendantâs confi- dentiality policies539 and showed the film to groups and individuals to raise money and obtain future contracts.540 The court decided that the re- quired element of publicity was not satisfied be- cause the film was not âcommunicated to the pub- 530 Id. (citing Colorado and Minnesota). See id. (cit- ing, e.g., Ozer v. Borquez, 940 P.2d 371, 377 (Colo. 1997) and Lake v. Wal-Mart Stores Inc., 582 N.W.2d 231, 234 (Minn. 1998)). 531 Pasternack, supra note 8, at 833 (footnote omit- ted). 532 Id. (footnote omitted). 533 Ayres, supra note 42, at 995 (stating that a recov- ery in tort for an invasion of privacy is limited as the disclosure or communication must be âto the public at largeâ); see Pritts, supra note 417, at 331. 534 2011 U.S. Dist. LEXIS 61833, at *1 (E.D. Cal. 2011). 535 Id. at 18. 536 2006 U.S. Dist. LEXIS 100042 (W.D. Okla. 2006). 537 Id. at 10. 538 2013 U.S. Dist. LEXIS 66376, at *1 (N.D. Tex. 2013). 539 Id. at 3. 540 Id. at 4.
51 lic at large or disseminated to so many people that it [became] public knowledge.â541 In Cordts, the plaintiff alleged that a company hired by his employer to evaluate disability claims wrongfully disclosed to his ex-wife that he was receiving treatment for depression. The plaintiff further alleged that the disclosure violated his employerâs written assurance that his health in- formation would not be disclosed to unauthorized parties.542 The plaintiff sued for public disclosure of private facts,543 as well as for a violation of the Illinois Mental Health and Development Disabili- ties Confidentiality Act as discussed in Section XVI.C of this digest.544 The court held that the disclosure to Cordtsâ ex- wife (via a text message) stated a claim for inva- sion of privacy based on a public disclosure of pri- vate facts.545 The court observed that the required element of publicity may be satisfied when âa dis- closure is made to a small number of people who have a âspecial relationshipâ with the plaintiffâ546 and a ânatural and proper interestâ in the infor- mation (citations omitted).547 The court held that the plaintiffâs ex-wife continued to have a natural and proper interest, because Cordtsâ claim for dis- ability benefits indicated that he had a condition that potentially could affect his ability to support his daughter and thereby harm his ex-wife.548 2. Intrusion Upon Seclusion A second cause of action for an invasion of pri- vacy for disclosing health information is for intru- sion upon seclusion. There are various defenses to such a claim, including that the plaintiff did not intend to keep the information private; that under the circumstances the plaintiff did not have a rea- sonable expectation of privacy of the information; or that the plaintiff voluntarily and without any 541 Id. at 23. 542 Cordts, 369 Ill. App. 3d at 602, 860 N.E.2d at 446â 47. 543 To state a cause of action in Illinois for public dis- closure of private facts, a plaintiff must plead that the defendants publicized the plaintiffâs private not public life; that the matter publicized would be highly offen- sive to a reasonable person; and that the matter that was published was not one that had a legitimate public concern. Cordts, 369 Ill. App. 3d at 603, 860 N.E.2d at 447. 544 740 ILL. COMP. STAT. 110/1, et seq. 545 Cordts, 369 Ill. App. 3d at 607, 860 N.E.2d at 450. 546 Id., 369 Ill. App. 3d at 607, 860 N.E.2d at 450. 547 Id., 369 Ill. App. 3d at 608, 860 N.E.2d at 451. 548 Id., 369 Ill. App. 3d at 610, 860 N.E.2d at 452. coercion consented to disclosure (footnotes omit- ted).549 The tort of intrusion upon seclusion is similar to the tort for invasion of privacy, but the tort does not require a showing that a disclosure was made to the general public.550 As held in an Arkansas case, the tort of intrusion requires âspe- cific intrusive action as opposed to disclosing pri- vate information.â551 In Watkins the plaintiffs also sued for intrusion upon seclusion. The court ruled, however, that the plaintiffsâ knew they were being filmed. Intrusion on seclusion requires proof of (1) an intentional intrusion, physically or otherwise, upon anotherâs soli- tude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person. â¦Liability does not turn on publication of any kind. The core of the tort of invasion of privacy is the offense of pry- ing into the private domain of another, not the publicity that may result from such prying (citations omitted) (in- ternal quotation marks omitted).552 Thus, under Texas law, the tort requires âsome sort of intrusionâ that did not exist in the Watkins case. In Rhoades,553 in which a high school adminis- tered a psychological assessment test to the plain- tiff and other high school students, the court granted a summary judgment to the defendant school on the plaintiffsâ intrusion claim. The court held that an intrusion claim requires physical contact or an invasion of a plaintiffâs physical space.554 Likewise, in Steinberg, in which the plaintiffs alleged that the defendants misused their confidential prescription information, the court held that there had been a voluntary disclo- sure of the information by the defendants. Like- wise, under Pennsylvania law an intrusion claim cannot exist when âa defendant legitimately ob- tains information from a plaintiff.â555 Another issue for an intrusion claim is whether a disclosure is sufficiently offensive. In Cooney, involving a firmâs disclosure of personal informa- tion on former Chicago public school employees, the court, in ruling that there were no actionable claims, drew a distinction between personal in- formation and private information. Names and 549 Ayres, supra note 42, at 995. 550 See Restatement § 652(B). See also Reid v. Pierce County, 136 Wash. 2d 195, 206, 961 P. 2d 333, 339-340 (1998). 551 Dunbar v. Cox Health Alliance, LLC, 446 B.R. 306, 313â14, 2011 Bankr. LEXIS 812 (E.D. Ark. 2011). 552 Watkins, 2013 U.S. Dist. LEXIS 66376 at 21â22. 553 574 F. Supp. 2d 888 (N.D. Ind. 2008). 554 Rhoades, 574 F. Supp. 2d at 907-908 N 3. 555 Steinberg, 899 F. Supp. 2d at 342-343.
52 social security numbers may be personal informa- tion, but the court held that their disclosure was not âfacially embarrassing and highly offen- siveâ¦.â556 In Doe v. Di Genova,557 involving a sub- poena of the plaintiffâs medical records main- tained by the Veterans Administration, the court held that there is no claim for intrusion when an intrusion is reasonable under the circumstances or when an intrusion is not âserious.ââ In Brund- age-Bone Concrete Pumping, concerning the plain- tiffâs intrusion claim based on a hospital em- ployeeâs divulgence of information to one of the defendantâs managers, the information divulged was held not to be âhighly offensive to a reason- able person.â558 Finally, as stated in Grant, California law re- quires proof of an âintrusion into a private place, conversation or matterâ¦in a manner highly of- fensive to a reasonable person.â559 Although the court agreed that plaintiffâs allegations were suffi- cient to state a claim, the court dismissed the claim. The basis of the dismissal was that Cali- forniaâs absolute litigation privilege immunized the defendants for a publication or broadcast made in connection with a judicial proceeding.560 The court held that the âprivilege applies to com- mon law, statutory, and constitutional claims of invasion of privacy.â561 3. Claims for Misappropriation or False Light Because they are mentioned in the Restate- ment, privacy claims based on misappropriation or false light will be noted briefly. For a plaintiff to make a misappropriation claim, a transit agency must have committed âmedical identity theftâ and made a commercial use of the individ- ualâs âmedical likenessâ (footnote omitted).562 For there to be a tort claim for false light against a 556 Cooney, 407 Ill. App. 3d at 367, 943 N.E.2d at 32. 557 Doe v. Di Genova, 642 F. Supp. 624, 632 (1986), (holding that under the Privacy Act (see discussion in App. A to this digest), Doe was entitled to an order pro- hibiting release of the records). 558 Brundage-Bone Concrete Pumping, Inc, 2006 U.S. Dist. LEXIS 100042 at 11. See also Setzer v. Farmers Insurance Company, Inc., 185 Fed. Appx. 748 (10th Cir. 2006) (affirming summary judgment for defendant on invasion of privacy and intrusion of seclusion claims because the conduct at issue was not highly offensive). 559 Grant, 2011 U.S. Dist. LEXIS 61833 at 20 (citing CAL. CIV. CODE § 47(b)). 560 Id. at 22â23. 561 Id. at 22â23, 24. 562 Ayres, supra note 42, at 998. transit agency, a plaintiffâs health information would have to have been revealed to the public by the media, the same element that generally is re- quired for a claim for a public disclosure of private facts (footnote omitted).563 C. Other Common Law Tort Actions Other possible state law claims for wrongful disclosure of health information include tort ac- tions for negligence, negligent or intentional in- fliction of emotional distress, and breach of fiduci- ary duty and for breach of contract.564 1. Negligence Claims for Privacy Violations Although a negligence claim may exist against a health care provider for breach of confidentiality (footnotes omitted),565 there may not be necessarily such an action against a transit agency be- cause of the absence of a relationship of trust such as ex- ists between individuals and health care providers that may give rise to a duty to putative plaintiffs.566 For a negligence claim, a plaintiff has to estab- lish that there was a breach of a duty owed by the defendant to the plaintiff that was the proximate cause of plaintiffâs damages. In Rhoades, at the summary judgment stage the court did not dis- miss the plaintiffsâ claim that the defendant com- mitted negligence in requiring students to take a psychological assessment test.567 However, in both Brundage-Bone Concrete Pumping568 and Wat- kins569 the courts rejected the negligence claims. Assuming there is a basis for a negligence claim under state law, even though there is no private right of action under HIPAA, it has been held that the HIPAA standards and requirements may serve as evidence of the standard of care ap- plicable to the privacy and security of an individ- ualâs health information.570 563 Id. at 1000. 564 Id. at 1001. 565 Id. at 1003â1004. 566 See discussion in Section XVII.C.3 of this digest; see also Collins, supra note 341, at 231 (footnote omit- ted). 567 Rhoades, 574 F. Supp. 2d at 905. 568 Brundage-Bone Concrete Pumping, Inc, 2006 U.S. Dist. LEXIS 100042 at 18. 569 Watkins, 2013 U.S. Dist. LEXIS 66376 at 12 (holding that claim for negligence per se claim failed because the claim could not be predicated on the non- penal statutory sections at issue). 570 Michael W. Drumke, A HIPAA PRIMER 37 BRIEF 38, 40 (2008), available at http://documents.jdsupra.com/44f508a0-bfa3-431d-87d8- f716a2c8b206.pdf, hereinafter referred to as âDrumkeâ
53 2. Infliction of Emotional Distress Plaintiffs in privacy cases have claimed either negligent or intentional infliction of emotional distress because of the disclosure of their health information. A plaintiff must establish that a de- fendant engaged in extreme and outrageous con- duct that negligently, intentionally, or recklessly caused the plaintiff to suffer severe emotional dis- tress.571 In Cooney the court dismissed a claim by the former public school employees, because he defendants had no duty to the plaintiffs not to disclose their personal information.572 In Brund- age-Bone Concrete Pumping, the court dismissed the plaintiffâs claim for intentional infliction of emotional distress because the conduct in ques- tion âwas not extreme and outrageous.â573 Medical evidence may be required to make a case of infliction of emotional distress. In Guthrie Clinic, Ltd., the plaintiff failed to allege that he had suffered a physical manifestation of an emo- tional injury that is required for a claim for inflic- tion of emotional distress.574 In Faison, the court rejected the plaintiffsâ claim for intentional inflic- tion of emotional distress allegedly caused by the defendantâs filming of the plaintiffs in part be- cause of the absence of âcompetent medical evi- dence of causation and severity.â Thus, expert medical testimony may be necessary to prove that a plaintiff suffered emotional distress.575 3. Breach of Fiduciary Duty The required elements for a claim for breach of fiduciary duty are the existence of a fiduciary re- lationship and a knowing breach by the defendant of the fiduciary duty that was the proximate cause (citing Acosta v. Byrum, 180 N.C. App. 562, 638 S.E.2d 246, 253 (N.C. Ct. App. 2006)). 571 Rhoades, 574 F. Supp. 2d at 908 (citing Branham v. Celadon Trucking Services, Inc., 744 N.E.2d 514, 523 (Ind. Ct. App. 2001)). 572 Cooney, 407 Ill. App. 3d at 363, 943 N.E.2d at 29. 573 Brundage-Bone Concrete Pumping, Inc, 2006 U.S. Dist. LEXIS 100042 at 16. 574 Guthrie Clinic, Ltd., 2012 U.S. Dist. LEXIS 20507 at 21. In New York the elements of the claim are that the defendant engaged in â(1) extreme and outrageous conduct; (2) [with] intent to cause, or reckless disregard of a substantial probability of causing, severe emotional distress; (3) a causal connection between the conduct and the injury; and (4) severe emotional distress.â Id. at 21â22. 575 Faison, 823 F. Supp. at 1206 (quoting Kazatsky v. King David Memorial Park, Inc., 515 Pa. 183, 527 A.2d 988, 989 (1987) (internal quotation marks omitted)). of the plaintiffâs damages.576 In the Guthrie Clinic, Ltd. case577 involving a nurseâs disclosure of the plaintiffâs medical condition to his girlfriend, the court held that the clinic did not have a fiduciary duty to the plaintiff. The court held that a mere disclosure of health information is insufficient to establish a claim for a breach of fiduciary duty.578 D. Breach of Contract Claims for Health Privacy Violations Because of the contractual nature of the trans- portation services at issue, a transit agency should be aware of the possibility of a privacy claim based on a theory of a breach of express or implied contract.579 However, for a breach of con- tract claim a plaintiff would have to establish that the plaintiffâs health information was provided in exchange for a promise expressly or impliedly made by the defendant.580 In Guthrie Clinic, Ltd., the court ruled that the defendants had not vio- lated an ââimplied contractâ of good faithâ when a nurse disclosed the plaintiffâs medical condition. Equally important is that the court held that the nurseâs conduct was not within the scope of her employment and thus was not attributable to her employer.581 Although transit agencies reported having pro- cedures to keep health information confidential, the documents provided by transit agencies for this digest do not show that there is an express or implied contract for the privacy or security of health information.582 Moreover, paratransit ser- vice is provided because of DOT and ADA nondis- crimination laws and other federal or state laws or programs, not because of an express or implied contract to protect a personâs health informa- tion.583 To the extent that a claim against a tran- sit agency is based on HIPAA, there is no private 576 Guthrie Clinic, Ltd., 2012 U.S. Dist. LEXIS 20507 at 9 (internal quotation marks omitted). 577 2012 U.S. Dist. LEXIS 20507, at *1 (W.D. N.Y. 2012). 578 Cooney, 407 Ill. App. 3d at 363, 943 N.E.2d at 29. 579 See Pasternack, supra note 8, at 833. 580 Id. at 834 (citing Seth Safier, Between Big Brother and the Bottom Line: Privacy in Cyberspace, 5 VA. J.L. & TECH. 6, 113 (2000)); Sorenson v. Barbuto, 143 P. 3d 295, 299 (Utah App. 2006); and Acosta v. Byrum, 180 N. C. App. 562, 638 S.E.2d 246, 253 (2006)). 581 The court also rejected any strict liability in tort based on the nurseâs conduct. Guthrie Clinic, Ltd., 2012 U.S. Dist. LEXIS 20507 at 16. 582 See App. B of this digest. 583 See Section XV.A of this digest.