Health provider snooping gets little attention but does big damage

An investigation by ProPublica and NPR into the damage inflicted by even the smallest release of private health information provides a good opportunity to re-examine a Minnesota case over who’s liable when a health care provider’s loose lips inflict damage.

In its investigation released today, ProPublica said small, unflashy releases of private information, “driven by personal animus, jealousy or a desire for retribution are spurring disputes and legal battles across the country.”

It said while most of the publicity of incidents has focused on large-scale data theft, the damage in those types of cases is mostly hypothetical, while these small invasions of privacy do real damage.

“My argument has been that protecting the confidentiality of your protected health information, protecting your privacy, is part of what it is to be a doctor,” Indianapolis lawyer Neal Eggeson said. “It’s part of your oath, it’s part of your duty.”

But, at least in Minnesota, it’s not a liability that falls on the organizations which employ those snooping into patient data. Here, health providers are generally not liable for the actions of workers who access medical records outside the scope of their jobs.

That fact stems from a June 2009 decision from the Minnesota Court of Appeals (pdf), which turned aside Candace Yath’s lawsuit against Fairview Clinics. She had told a doctor at Cedar Ridge Clinic in Apple Valley in March 2006 that she had a new partner and wanted to be tested for sexually transmitted diseases.

Navy Tek, a medical assistant there at the time, saw Yath at the clinic and, because Tek knew Yath’s husband (the couple was separated), snooped into her reasons for being there. She accessed her medical records, learned she was there to be tested for an STD and that Yath, indeed, had a sexually transmitted disease.

Tek phoned an acquaintance and, after receiving a promise that her acquaintance could tell no one else, told her about the diagnosis.

A few days later, a MySpace post revealed that Yath “has a sexually transmitted disease, that she recently cheated on her husband, and that she is addicted to plastic surgery.”

Though the post was removed, Yath sued the acquaintances, the medical technician, and Fairview.

A district court threw the suit out because a judge didn’t consider a MySpace page, viewed only a few times before it was removed, to constitute “publicity,” a requirement of the state’s invasion of privacy laws. While the Minnesota Court of Appeals rejected that defense, it said that Fairview and the medical technician didn’t create the MySpace page, so they weren’t liable for damage done by the invasion of privacy.

The three-judge panel said for Fairview to have been liable, the invasion of privacy and dissemination of the information had to be “foreseeable.” In making that determination, it cited a Minnesota Supreme Court ruling that an employer was not liable for the sexual harassment of an employee by another employee.

Minnesota has generally been late to the party when it comes to private suits for privacy violations. It only started recognizing such suits in the late ’90s.

ProPublic acknowledged in its year-long investigation into these types of cases that health care providers are making efforts to discourage workers from violating the privacy of patients — firing the employee, for example — but the technology available to keep an eye on employees of health care organization is still insufficient.