Workplace Privacy and Protected Medical Information
Presented to the Columbus Bar Association Labor and Employment Law Committee
October 3, 2007

by:
Barbara K. Letcher
Newhouse, Prophater, Letcher & Moots, LLC
Tel: (614) 255-5441

I. COMMON LAW PRIVACY OBLIGATIONS

A. Common law origin.
Unlike some states, Ohio has no statute defining general privacy
rights with respect to medical information. These rights are a
function of court decisions, and are therefore a part of the common law.

B. Reasonable expectation of privacy.
The right of privacy hinges on an employee’s reasonable
expectation of privacy, which can arise from several sources:

1. Common expectations based on social values (don’t peek
   into the shower stall).
   
   
2. Employer policies (“Our e-mail system is for the private
   use of our employees”).
   
   
3. Statutory and regulatory restrictions (HIPAA defines medical
   information as protected, and restricts its dissemination and use).

C. Common law protection of medical information.
Long before there was HIPAA, Ohio courts recognized the duty of
an employer to maintain the confidentiality of medical information
related to its employees and recognized the tort of invasion of
privacy to address violations of the reasonable expectation of
privacy.

In Ohio, the tort of invasion of privacy includes four distinct causes
of action. See, e.g., Housh v. Peth (1956), 165 Ohio St. 35, 133
N.E.2d 340; Killilea v. Sears, Roebuck & Co. (1985), 27 Ohio
App.3d 163, 499 N.E.2d 1291. These causes of action result from the:

1. Intrusion into the individual’s seclusion, solitude, or private
   affairs;
   
   
2. Public disclosure of embarrassing private facts about the
   individual;
   
   
3. Publicity that places the individual in a false light; and
   
   
4. Appropriation of the individual’s name or likeness to gain an
   advantage.

A claim arising from the disclosure of an employee’s medical
information is analyzed as a claim based on a public disclosure of
embarrassing private facts about the employee. To maintain the
public disclosure variety of an invasion of privacy claim, the
employee must satisfy three requirements. See Greenwood v. Taft,
Stettiniur & Hollister (1995), 105 Ohio App.3d 295, 663 N.E.2d
1030, citing Restatement (Second) of Torts, Section 652D (1965);
Seta v. Reading Rock, Inc. (1995), 100 Ohio App.3d 731, 654
N.E.2d 1061. The employee must establish that there was:

1. A clearly private fact;
   
   
2. Public disclosure of the private fact; and
   
   
3. A showing that the matter made public is one which would
   be highly offensive and objectionable to a reasonable person.

Courts have drawn a distinction between the “publicity” necessary
to support a claim for invasion of privacy and “publication” as used
in the defamation context. See Killilea, supra; Reading Rock, supra.

To maintain a defamation claim, the plaintiff need only show a
publication which is defined as any communication from the
defendant to a third person. In contrast, an invasion of privacy
claim requires that the matter be made public, by communicating it
to the public at large, or to so many persons that the matter must
be regarded as substantially certain to become one of public
knowledge.

This distinction is identified in the Restatement of Torts which goes
on to state that it is not an invasion of privacy to communicate a
fact about an individual’s private life to a single person or even a
single group of persons. Restatement (Second) of Torts, Section
652D, comment a. But see, Levias v. United Airlines (1985), 27
Ohio App.3d 222, 500 N.E.2d 370 (which upheld jury verdict for
employee in context of limited disclosure).

There is a split of authority concerning whether the disclosure must
be intentional before it can be actionable. Those cases which
require an intentional act cite McCormick v. Haley (1973), 37 Ohio
App.2d 73, 307 N.E.2d 34. However, McCormick involved an
invasion of privacy claim based on an intrusion into an individual’s
private affairs. Section 652B of the Restatement notes that this
type of claim requires intentional interference, a requirement not
included in Section 652D. In contrast, in Prince v. St. Francis-St.
George Hospital, Inc. (1985), 20 Ohio App.3d 4, 484 N.E.2d 265,
the court opined that “[i]t seems to us that a negligent invasion of
the right of privacy . . . can just as effectively invade one’s right of
privacy as an intention to do so.” See, also, Yoder v. Ingersoll-
Rand Co. (6th Cir. 1998), 1998 U.S. App. LEXIS 31993.

D. Privileges.
A privilege is a common law right of an employer to disclose private
information, even without the employee’s consent.

1. Provision of information to a medical provider.
   
   
2. Provision of information to a health plan.
   
   
3. Reporting of medical information to the Bureau of Worker’s
   Compensation.
   
   
4. Recording occupational inju ry and illness information on
   OSHA prescribed forms, and making those forms to parties
   with a right of access under OSHA laws and regulations.
   
   
5. Use of medical information in defense of an employee’s
   claim of bodily injury.

Generally, courts apply a “commonality of interest” rationale and
find a qualified or conditional privilege when a “commonality of
interest” exists between the publisher and recipient, and the
communication is of a kind reasonably calculated to protect that
interest. See Knecht v. Vandalia Med. Center, Inc. (1984), 14 Ohio
App.3d 129, 470 N.E.2d 230. This has evolved into a “need to
know” standard applied in the employment context. See Levias v.
United Airlines (1985), 27 Ohio App.3d 222, 500 N.E.2d 370.

For a communication to be considered privileged, the employer
must establish:

1. Good faith;
   
   
2. An interest to be upheld;
   
   
3. A statement limited in its scope to this purpose;
   
   
4. A proper occasion; and
   
   
5. Publication in a proper manner and to proper parties only.

See Hahn v. Kotten (1975), 43 Ohio St.2d 237, 331 N.E.2d 713,
quoting 50 American Jurisprudence 2d 698, Libel and Slander,
Section 195.

II. HEALTH INFORMATION PROTECTED BY HIPAA.

A. The HIPAA Privacy Rule.
One of the primary purposes of the HIPAA Privacy Rule is to define
and limit the circumstances in which an individual’s protected health
information may be used or disclosed by covered entities.

In general, a covered entity can disclose protected health
information for treatment, payment or health care operations
purposes without first getting the individual’s written permission. 45
C.F.R. § 164.502(a)(1)(iii). For most other purposes, the covered
entity must first obtain the individual’s written permission. 45
C.F.R. § 164.502(a)(1)(iv); 45 C.F.R. § 164.512.

B. Protected Health Information (PHI).
The HIPAA Privacy Rule defines PHI as all “individually identifiable
health information” held or transmitted by a covered entity or its
business associate, in any form or media whether electronic, paper
or oral. 45 C.F.R. § 160.103.

“Individually identifiable health information” includes information
that relates to an individual’s past, present or future physical or
mental health or condition, the provision of health care to the
individual, or the past, present, or future payment for the provision
of health care to the individual that identifies the individual or for
which there is a reasonable basis to believe it can be used to
identify the individual. 45 C.F.R. § 160.103.

The revised definition of protected health information excludes
“employment records held by a covered entity in its role as
employer”. For example, information in a hospital’s personnel file
about a nurse’s use of sick leave is not protected health
information, but the medical record of a hospital employee who is
receiving treatment at the hospital is protected health information
and is covered by the privacy rule.

The term “employment record” is not defined by includes health
information the employer would need to carry out its obligations
related to OSHA, FMLA, sick leave requests, drug screening, work
place medical surveillance, fitness for duty exams, and other similar
programs and activity. However, a fitness for duty exam will be PHI
when the employer administers the test to the employee but not
when the results of the fitness for duty exam are turned over to the
employer pursuant to the employee’s authorization.

C. Minimum necessary rule.
A health care provider must provide only the minimum information
necessary to a person who has a permissible need to know, like
billing services, insurance companies and the like.

1. It is left to the health care provider to decide what is
   minimally necessary.
   
   
2. This restriction does not apply to the provision of information
   for treatment purposes.

D. Covered entities.

1. Health care providers.
   Almost anyone in the business of providing health care
   services who is licensed or regulated by a state is covered
   by the act. This includes doctors, hospitals, nurses, dentists,
   pharmacists, counselors and laboratories. It also includes
   individuals or entities conducting certain covered “electronic”
   transactions, e.g. Medicare billing.
   
   
2. Health plans.
   This includes anyone who pays for medical care, such as
   insurers, HMO’s, employer-sponsored health plans,
   Medicare and Medicaid. A “group health plan” is one type of
   health plan and is a covered entity (except for selfadministered
   plans with fewer than 50 participants). The
   group health plan is considered to be a separate legal entity
   from the employer or other parties that sponsor the group
   health plan.
   
   
3. Health care clearinghouses.
   These are billing services, third-party administrators,
   insurance agents, and others who collect and process health
   and health-related information.
   
   
4. Hybrid entities.
   These include employers. These are organizations which
   provide health care services as part of their business.
   Examples include employers with self-insured health benefit
   programs or workplace medical clinics. The portion of the
   business which provides the health care services must
   comply with HIPAA requirements for the handling of PHI.

E. Employer confidentiality obligations under HIPAA.
Hybrid entity employers must build “firewalls” between covered
portions of the business and those that are not covered, in order to
prevent the inadvertent disclosure of PHI.

1. Password protect databases at the least, and consider
   keeping entirely separate computer systems and databases.
   
   
2. Physically separate covered and non-covered employees
   and files.
   
   
3. Avoid having employees in the covered area also have
   responsibilities in non-covered areas.

F. Employer access to and use of PHI from covered entities.

1. Covered entities can provide the following to an employer:

   a. Whether an employee is enrolled in a health care plan.

   b. Summary information, such as the number of
   enrollees, premiums paid, number of claims made,
   and total costs paid.

2. If a covered entity provides an employer with more
   information, the employer must adopt and adhere to rules
   that are essentially the same as those applicable to covered entities.

G. Employer access to and use of PHI for workers’ compensation.
The HIPAA Privacy Rule does not apply to entities that are workers’
compensation insurers, workers’ compensation administrative
agencies, or employers except to the extent they may otherwise be
covered entities. However, these entities need access to
information that would qualify as protected health information to
administer claims of individuals injured on the job. Although this
information is obtained from health care providers who treat the
injured workers and who are covered by the Privacy Rule, an
exception to the rule permits disclosures for workers’ compensation
purposes.

1. Disclosures without individual authorization.
   The Privacy Rule permits disclosure of PHI in connection
   with the administration of workers’ compensation claims,
   without the individual’s authorization:

   a. As authorized by and to the extent necessary to
   comply with workers’ compensation laws or similar
   programs established by law that provide benefits for
   work-related injuries or illness without regard to fault.
   45 C.F.R. § 164.512(l).

   b. To the extent the disclosure is required by State or
   other law provided the disclosure complies with and is
   limited to what the law requires. 45 C.F.R. §
   164.512(a).

   c. To obtain payment for any health care provided to the
   injured or ill worker. 45 C.F.R. § 164.502(a)(1)(ii).

2. Disclosures with individual authorization.
   Covered entities may also disclose PHI in connection with
   the administration of workers’ compensation claims where
   the individual has given his or her written authorization for
   the release of the information to the entity provided the
   authorization contains the elements and otherwise meets the
   requirements specified in 45 C.F.R. § 164.508.

Individuals do not have the right to request that a covered entity
restrict its disclosure of PHI about them for workers’ compensation
purposes when the disclosure is required by law or authorized by,
and necessary to comply with, a workers’ compensation or similar
law. 45 C.F.R. § 164.522(a).

III. PRODUCTION OF MEDICAL INFORMATION FOR LITIGATION.

A. Plaintiff’s medical records.
The Privacy Rule does not prevent the Plaintiff’s physician from
producing his records. Rather, it prescribes the procedural steps
that the requesting party must follow to obtain the records.
A covered entity may disclose PHI “in the course of any judicial or
administrative proceeding,” even if not mandated by a court order,
provided that one of the following two procedural alternatives is
followed:

1. The requesting party may provide “satisfactory assurance” to
   the covered entity that the patient has been given written
   notice of the request with sufficient time for the patient to
   object in court, and that the patient has either not objected or
   his objection has been denied. Giving notice to the patient’s
   attorney is sufficient. 45 C.F.R. § 164.512(e)(1)(iii).
   
   
2. The requesting party may provide the covered entity with
   satisfactory assurance that the court will enter a “qualified
   protective order” that will restrict use of the PHI to the
   litigation and require that the PHI be destroyed at the
   conclusion of the litigation. 45 C.F.R. § 164.512(e)(1)(iv), (v).

B. Records maintained by the employer.
Documents containing health information maintained in personnel
or employment records are not protected by HIPAA, provided that
the employer maintains these records as an employer. Therefore,
any health information contained in these records can be produced.
See, Beard v. City of Chicago (N.D. Ill. 2005), No. 03 C 3527, 2005
U.S. Dist. LEXIS 374 (holding that leave of absence documents
requested by the plaintiff from her former employer in a
discrimination suit did not constitute PHI and therefore production
was not governed by the HIPAA Privacy Rule).

IV. PRACTICAL CONSIDERATIONS FOR THE PROTECTION OF PHI.

A. Obtain authorizations.
When in doubt, obtain written authorization from the employee for
disclosure of information. While there are circumstances when this
is not necessary, it is best to err on the side of caution.

B. Segregate information.
Medical information should go into a separate folder, and the folder
should be a distinctive color (red is good). Lock the files up.
Restrict who can have access.

C. Written “need to know” forms.
When someone wants to access a medical file, have them
complete a standard request form, indicating their intended use for
the information, and why they are permitted to see the information.
Consider requiring employee authorizations.

D. Policy.
Write and disseminate a policy governing privacy of medical information.