Patient information or data cannot be utilized without a patient or consumer’s knowledge or consent.
By now, HIPAA covered entities and business associates, as well as those persons covered by the Federal Trade Commission’s Health Breach Notification Rule, know that as a general rule, patient information or data cannot be utilized without a patient or consumer’s knowledge or consent. Additionally, it is well established that workforce members cannot take data and other information (save a couple of exceptions, including those set forth in 45 U.S.C. §164.502(j)(1)) without the knowledge and consent of the individual consumer/patient and/or the employer. Additionally, employers have requirements to meet certain technical, administrative, and physical safeguards in order to protect the privacy and security of the information and communications involving electronic protected health information (ePHI) or sensitive personal identifiable information.
First, to be clear, there is an exception for whistleblowers under HIPAA and Section 7 of the Defend Trade Secrets Act of 2016, so long as the information is procured during the course of employment, is limited in scope and is provided only to an attorney and/or the government. As I wrote in a previous Physicians Practice article,
From the plaintiff’s side, the exception that physicians and other providers need to be aware of is 45 C.F.R. § 164.502(j)(1), which permits a covered entity or business associate’s workforce member to do the following:
The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers or the public; and
The disclosure is to:
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
It is also appropriate to provide protected health information in certain circumstances to the government. For example, 45 C.F.R. §162.512(f), (j), provides the ability for law enforcement functions to continue with the appropriate safeguards without the individual’s written consent.
Hence, employers need to appreciate that not all actions taken by workforce members to procure data are illegal. Another law that both employers and workforce members, especially those that have departed the company and who would not have access to data without consent of the company, is Title II of the Electronic Communications Protection Act (“ECPA”), the Stored Communications Act, 18 U.S.C. §§ 2701-12 (“SCA”), protects certain electronically stored communications.
For employers, investigating a workforce member’s access and utilization of workplace computer systems, emails, server access, software application access, and data access assigned to the specific person suspected of untoward conduct, there are a couple of items to consider. In Pietrylo v. Hillstone Rest. Group, Case No. 06-5754, 2009 U.S. Dist. LEXIS 88702, at *10-11 (D.N.J., Sept. 25, 2009), the court held that if an employer stumbles across passwords utilized by the employee for his/her personal internet email, file storage systems (i.e., Dropbox or ShareFile), and/or social media accounts (e.g., Facebook, LinkedIn), may give rise to a claim for unauthorized access under the ECPA and SPA.
Likewise, this is not a one-way street for workforce members, especially former workforce members. United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010). Specifically, the Court of Appeals for the Seventh Circuit noted,
monitor[ing] email messages sent to his supervisor, Nella Infusino. She found out by accident when being trained to use Microsoft Outlook, her email client. She discovered a “rule” that directed Outlook to forward to Szymuszkiewicz all messages she received. Szymuszkiewicz was convicted under the Wiretap Act for intentionally intercepting an electronic communication … agents found emails to Infusino stored in a personal folder of Szymuszkiewicz’s Outlook client -- in other words, Szymuszkiewicz not only received the emails but also moved them from his inbox to a separate folder for retention--which is not what would have happened had all of Szymuszkiewicz’s access been legitimate.…The jury could have chosen to believe Szymuszkiewicz’s contention that he received Infusino’s emails legitimately, or by mistake, but the evidence supported the more sinister inference that he obtained them intentionally and without her knowledge. 622 F.3d at 703-4 (internal citations omitted).
The take-away – both employers and employees should exercise extreme caution when either conducting investigations or accessing data and computer systems. For workforce members, this is particularly true once an individual terminates his/her relationship with a company or another person. The SCA can carry civil and/or criminal liability. This is one area not to overlook.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.