Brief Fact Summary. The Plaintiff, Candace Yath, went to the Fairview Cedar Ridge Clinic (Fairview) (Defendant) for a medical appointment so she could be tested for sexually transmitted diseases.Â Navy Tek (Defendant) was the medical assistant who saw Plaintiff at the clinic and was related to Plaintiff’s husband.Â Defendant read Plaintiff’s medical file and learned that she had a sexually transmitted disease and a new sex partner other than her husband.Â Defendant shared this information with another employee who then shared it with others, including Plaintiff’s husband, who she was separated from.Â Someone then created a MySpace.com webpage posting the information on the Internet.Â Under various legal theories, Plaintiff brought suit against Defendant and the persons allegedly involved.
Synopsis of Rule of Law. (1)Â An Internet posting of private, personal medical information on a social media website constitutes “publicity” for the purposes of an invasion of privacy action. (2)Â A state statute that authorizes a private action for the improper release of medical records is not preempted by the federal Health Insurance Portability and Accountability Act.
An employer may be held liable for even the intentional misconduct of its employees when (1) the source of the attack is related to the duties of the employee, and (2) the assault occurs within work-related limits of time and place.View Full Point of Law
Issue. (1)Â Does an Internet posting of private, personal medical information on a social media website, constitute “publicity” for the purposes of an invasion of privacy action? (2)Â Is a state statute that authorizes a private action for the improper release of medical records preempted by the federal Health Insurance Portability and Accountability Act?
Held. (Ross, J.)Â (1)Â Yes.Â An Internet posting of private, personal medical information on a social media website, constitutes “publicity” for the purposes of an invasion of privacy action. The tort of invasion of privacy is recognized by the court on three alternative theories:Â intrusion of seclusion, appropriation of a name or likeness of another, and publication of private facts.Â Plaintiff’s invasion-of-publicity claim is based on the publication of private facts, so the claim can only survive summary judgment if there is evidence in the record that (1) a defendant gave “publicity” to a matter concerning Plaintiff’s private life, (2) the publicity of the private information would be highly offensive to a reasonable person, and (3) the matter is not of legitimate concern to the public.Â Plaintiff was unable to prove that a sufficient number of people had seen the webpage, and therefore the district court held that her private information was not given “publicity” within the meaning of the tort of invasion of privacy.Â A different legal conclusion is reached by this court.Â In an invasion of privacy claim, the publicity element is satisfied when private information is posted on an Internet website that is accessible by the public.Â Plaintiff’s information posted on the MySpace.com webpage survives the “publicity” challenge.Â The reasoning that led the court to hold the position that posting information on a publicly accessible webpage constitutes publicity is not eroded by the fact that the Internet immensely increases both the amount of information available to the public and the number of sources offering information.Â It is a fact that mass communication is no longer limited to a small handful of commercial vendors and that we live with much greater access to information than in the era when the tort of invasion of privacy developed.Â This astonishing advancement in communication argues for, not against, a holding that the posting on MySpace.com constitutes publicity.Â While some public webpages may not get much attention, the unrestricted MySpace.com webpage posting likewise constitutes publicity.Â Plaintiff’s claim of invasion of privacy fails because she did not succeed in producing any evidence on an essential element of her claim, specifically that any of the defendants that survived on appeal were involved in creating or sustaining the disparaging MySpace.com webpage.Â Affirmed.
(2)Â No.Â A state statute that authorizes a private action for the improper release of medical records is not preempted by the federal Health Insurance Portability and Accountability Act (HIPPA).Â Fairview (Defendant) argued that the state statute section is “contrary” to HIPAA because the section provides for a private cause of action for the wrongful disclosure of a person’s medical records, but HIPAA does not.Â However, just because a distinction exists, does not make the state statute provision “contrary” to HIPAA.Â A state law is “contrary” to HIPAA if a health care provider “would find it impossible to comply with both the state and federal requirements” or if the state law is “an obstacle to the accomplishment and execution of the full purposes” of HIPAA.Â [45 C.F.R. Â§ 160.202.]Â It would not be impossible for Fairview (Defendant) or Phat (Defendant) to comply with both HIPAA and the state statute section because both laws, in complementary rather than contradictory fashion, discourage a person from wrongfully disclosing information obtained from another person’s health record.Â Both laws have similar goals.Â Both laws protect the privacy of an individual’s health care information.Â The difference in remedy is functional only, in that a HIPAA violation makes a person subject to criminal penalties while the state statute section exposes a person to compensatory damages in a civil action.Â Although under the two laws the penalties are different, compliance with the state statute section does not exclude compliance with HIPAA.
Â The state statute section also is not “an obstacle to the accomplishment and execution of the full purposes” of HIPAA.Â The stated purpose of HIPAA is to improve the Medicare and Medicaid programs and “the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”Â To accomplish that purpose, entities that maintain or transmit health care information are required by HIPAA to establish safeguards “to ensure the integrity and confidentiality” of a person’s health care information and “to protect against any reasonably anticipated unauthorized uses or disclosures of the information.”Â [42 U.S.C. Â§ 1320d-2(d)(2).]Â If a person wrongfully discloses health care information, that person may be subject to criminal penalties including fines or imprisonment.Â Instead of creating an “obstacle” to HIPPA, the state statute section supports at least one of HIPAA’s goals by establishing another reason not to wrongfully disclose a patient’s health care record.Â The state statute section is not a contrary state law preempted by HIPAA.Â The district court’s preemption decision is reversed and remanded.
Discussion. Contrary to arguments of the defendants, the posting of personal private medical information on an Internet website is sufficient for the “publicity” prong of the invasion of privacy test, no matter how limited the site or webpage may be.Â Similarly, the trial court erred in that the state medical privacy statute was not preempted by HIPPA, which permitted another cause of action for unlawful disclosure of personal information.Â Although Plaintiff failed for other reasons, by giving her an avenue to continue her cause of action for the outrageous conduct of the hospital employees and others, the right of privacy and the ability to bring private actions for disclosure was upheld.