HIPAA and Employment Law
By Melanie D. Bragg
The Health Insurance Portability and Accountability Act (HIPAA) was passed more than 10 years ago. Today, at the end of this first decade of the new century, America’s healthcare system is still undergoing a radical transition that affects everyone—from patients to health care providers and business entities that deal with those providers. And that includes doctors, lawyers, and CPAs. To some people, HIPAA is nebulous and shrouded with confusion—for good reason: it is indeed a hefty body of legislation. The final rule is nearly 700 pages. Everyone should know the law that applies to their health information and that of their employees.
Application to Employment Law
One of the leading cases in the area of HIPAA and employment law is Equal Employment Opportunity Commission v. Boston Market, 2004 U.S. Dist. LEXIS 27338. In this case, the EEOC sued the defendant, Boston Market, alleging disability discrimination. Defendant sought an order from the court permitting it to communicate with several entities, including the psychologists treating the plaintiff-employee, Christine Gagliardi.
Plaintiffs authorized the defendant to obtain all medical records and to depose Gagliardi’s doctors, but asserted that HIPAA “preclude[s] ex parte discussions by Boston Market with those entities.”
Plaintiffs first argued that New York law provides a statutory psychologist/patient privilege that precluded the defendant from engaging in ex-parte communications. The district court began its analysis by examining whether state law was preempted by HIPAA, since the case was in the district court under federal question jurisdiction.
Plaintiffs argued that New York law was more stringent than HIPAA and should control. The court cited the Seventh Circuit Court of Appeals decision in Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 923, 925 (7th Cir. Ill. 2004) which determined that “HIPAA regulations do not impose state evidentiary privileges on suits to enforce federal law.” The court explained that a more stringent state law may be applied (1) when the suit is in state court, or (2) in federal court when “state law provides the rule of decision.”
The Boston Market court was persuaded by this reasoning and found that New York’s psychologist/patient privilege statute did not apply. The court still decided in favor of plaintiffs, finding that HIPAA “clearly regulates the methods by which a physician may release a patient’s health information” and ex parte communications that are not HIPAA-compliant are prohibited.
HIPAA can be an obstacle for attorneys defending employers attempting to gain information from a plaintiff-employee’s treating physician. ( See, e.g., Brian K. Powell & Richard A. Bales, HIPAA as a Political Football and Its Impact on Informal Discovery in Employment Law Litigation, 111 Penn. St. L. Rev. 137 (2006)). Prior to HIPAA’s enactment, employers in most states could use ex parte communications with a treating physician as an informal and cost-effective form of discovery. Since enactment, however, HIPAA acts “as a gag order on health care providers, prohibiting any disclosure of PHI to a defendant-employer absent the plaintiff-employee’s written authorization.” Section 164.512(e) lifts the gag order. Under this section:
A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section . . .
(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:
(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
(ii) In response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or
(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.
In a recent decision, Vaughn v. Epworth Villa, 537 F.3d 1147 (10th Cir. Okla. 2008), the Tenth Circuit Court of Appeals examined whether the employer, Epworth Villa, lawfully terminated its employee, Bernadine Vaughn, after she disclosed unredacted medical records to the EEOC to facilitate her discrimination claim. Vaughn, an African-American woman, had been disciplined for making errors on a patient’s medical records. She alleged that a younger, white employee had made the same errors and was not disciplined. Vaughn filed her claim with the EEOC and brought copies of a patient’s medical records to prove that the other employee had made the same errors and gone unpunished. The records included details of the patient’s medication regimen and narcotics records. Epworth Villa discovered the unauthorized disclosure a year after Vaughn filed the claim and terminated her employment.
In response to her termination, Vaughn filed suit against Epworth Villa and alleged that she was terminated in retaliation for filing her discrimination claim with the EEOC. The district court granted Epworth Villa’s motion for summary judgment, finding that Vaughn’s disclosure violated the HIPAA privacy regulations and her termination was appropriate. Vaughn appealed the decision. The Tenth Circuit held that Vaughn’s actions were “protected activity” under HIPAA, but it was still a violation of Epworth Villa’s company policy and procedures. This violation justified their termination of her employment. Vaughn’s retaliation claim was unsubstantiated absent proof that other employees violated the company policy against disclosure.
In Coleman v. City of Tucson, 2008 U.S. Dist. LEXIS 101325 (D. Ariz. Dec. 4, 2008), a former city employee, Timothy Coleman, brought suit against the City of Tucson alleging discriminatory employment practices. Coleman was diagnosed with various medical and psychological conditions that required him to take extended absences from work.
As a result of his disability, Coleman was unable to meet the demands of his position, and he sought reasonable accommodations. Coleman alleges that the city failed to provide these accommodations and that he was punished for his disability, including being forced to take medical retirement. Coleman sought relief under various state and federal regulations, including HIPAA. The court dismissed the portion of Coleman’s claim under HIPAA, citing Webb v. Smart Document Solutions, 499 F.3d 1078, 1081 (Cal. 2007), and reaffirming that HIPAA does not provide a private cause of action. The court permitted Coleman to bring his claim for discrimination under the Americans with Disabilities Act (ADA), the Arizona Civil Rights Act, and his common law case of retaliation.
In Rigaud v. Garofalo, 2005 U.S. Dist. LEXIS 7791 (Philadelphia, Pa.) the employee sustained a work-related injury that made her eligible for workers’ compensation benefits. The employee was referred to the health-care provider and the doctors for treatment. The employee alleged that one of the doctors contacted her employer and accused her of forging a refill authorization on a prescription, and that the doctor released information about that incident in violation of the HIPAA Privacy Rule (see 45 C.F.R. § 160.103 et seq). The court found, that based on HIPAA’s failure to provide for a private federal remedy and the absence of any legislative intent to create a private right of action, it lacked subject matter jurisdiction over the employee’s claim.
Melanie Bragg is the owner of Bragg & Associates in Houston, Texas. She is also the president of Legal Insight, a company founded in 1993 to provide legal education on a variety of subject to healthcare professionals. Her phone is 713-993-0300, and her email address is firstname.lastname@example.org.
Do you want to learn more on this subject or need forms to help your clients comply with HIPAA? If so, click here to purchase the author’s book, which includes appendices with numerous forms, checklists, and copies of relevant regulations.
This article is an excerpt from HIPAA for the General Practitioner, by Melanie Bragg, pp. 147–151. Copyright 2009 © by the American Bar Association. Reprinted with permission. This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
© Copyright 2010, American Bar Association.