Here’s a court decision from the US (again) that deals with a privacy claim in a medical records situation. The lawsuit was against the clinic, city and county.
This case really brings home that a party receiving a “legal requirement” to disclose private information has a a duty to ensure that the “legal requirement” is actually binding on them. If not, they are liable for the privacy infringement, as was the case here.
What I like about this case is it demonstrates a few principles of law, although not explicit in the case decision, including that a federal law does not govern over the privacy rights of an individual. (It also reads like a soap opera or tv movie script with all the intrigue and multiple story lines).
In this case a grand jury issued subpoena “ordered” a medical clinic to hand over patient records, so they did.
The individual sued for breach of privacy and won…or in this case settled out of court when the court had determined he actually had a solid claim, even though a federal law “appeared” to mandate that the clinic “was compelled” to provide the records.
This goes to the heart of a few legal principles:
- you do have privacy rights
- you must defend them, even if it means going to court
- state or provincial law can trump federal law
I like this case as evidence of the law being there to protect us, if we use it.
Bold emphasis mine below
Rejecting a defense based on compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury. In Turk_v_Oiler No. 09-CV-381 (N.D. Ohio Feb. 1, 2010), plaintiff Turk had been under investigation for illegally carrying a concealed weapon and for having a weapon while under disability in violation of an Ohio law which provides that “no person shall knowingly acquire, have, carry, or use any firearm” if “[t]he person is drug dependent, in danger of drug dependence, or a chronic alcoholic.” Defendant Cleveland Clinic, where Turk was a patient, received a grand jury subpoena requesting “medical records to include but not be limited to drug and alcohol counseling and mental issues regarding James G. Turk.” When the Cleveland Clinic disclosed Turk’s medical records in response to this subpoena, Turk sued the clinic for violating his privacy rights.
It its defense, the clinic argued that a specific exemption in HIPAA permits such disclosure of medical records in response to a grand jury subpoena. Ohio’s physician-patient privilege, however, provides that a physician cannot testify as to “a communication made to the physician . . . by a patient in that relation or the physician’s . . . advice to a patient.” The court found that the term “communication,” as used in the statute, includes hospital records “and is sufficiently broad to cover any confidential information gathered or recorded within them during the treatment of a patient at the hospital.” Because the HIPAA provision exempting the disclosure would not preempt this more restrictive state law, the court denied the clinic’s motion and refused to dismiss Turk’s privacy claim. That decision may have prompted a settlement, as this week, the court granted a request by Turk to dismiss all of his claims against the clinic.
PDF of the court decision- Privacy Law_Turk_v_Oiler[pay-elite] http://www.huntonprivacyblog.com/2010/05/articles/hipaa-1/state-law-trumps-hipaa-in-suit-over-disclosure-of-medical-records/#more[/pay-elite]