State Law Trumps HIPAA in Suit Over Disclosure of Medical Records

Posted on May 7, 2010 by Hunton & Williams LLP

Rejecting a defense based on compliance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a federal court in Ohio denied a medical clinic’s motion to dismiss invasion of privacy claims following the clinic’s disclosure of medical records to a grand jury.  In Turk v. Oiler, No. 09-CV-381 (N.D. Ohio Feb. 1, 2010), plaintiff Turk had been under investigation for illegally carrying a concealed weapon and for having a weapon while under disability in violation of an Ohio law which provides that “no person shall knowingly acquire, have, carry, or use any firearm” if “[t]he person is drug dependent, in danger of drug dependence, or a chronic alcoholic.”  Defendant Cleveland Clinic, where Turk was a patient, received a grand jury subpoena requesting “medical records to include but not be limited to drug and alcohol counseling and mental issues regarding James G. Turk.”  When the Cleveland Clinic disclosed Turk’s medical records in response to this subpoena, Turk sued the clinic for violating his privacy rights.

It its defense, the clinic argued that a specific exemption in HIPAA permits such disclosure of medical records in response to a grand jury subpoena.  Ohio’s physician-patient privilege, however, provides that a physician cannot testify as to “a communication made to the physician . . . by a patient in that relation or the physician’s . . . advice to a patient.”  The court found that the term “communication,” as used in the statute, includes hospital records “and is sufficiently broad to cover any confidential information gathered or recorded within them during the treatment of a patient at the hospital.”  Because the HIPAA provision exempting the disclosure would not preempt this more restrictive state law, the court denied the clinic’s motion and refused to dismiss Turk’s privacy claim.  That decision may have prompted a settlement, as this week, the court granted a request by Turk to dismiss all of his claims against the clinic.
Tags: , , , , ,

Provincial Consumer Protection Regulations in China May Affect Personal Data

Posted on October 28, 2009 by Hunton & Williams LLP

Although China has yet to enact a national data protection law, certain provincial-level rules implementing national consumer protection laws impact the collection and use of personal data.  These provincial regulations may warrant specific attention by entities doing business in the relevant Chinese provinces.  The impact of each of these will often be limited, both because they affect only enterprises doing business in the respective provinces and because the actual requirements of each of these regulations are typically modest.  Also, the potential penalties for violation are manageable in most cases. In addition, these provincial regulations could be superseded by national-level data protection legislation, depending on its terms.  Read more...

Tags: , , , , , , ,

Belgian Criminal Court Fines Yahoo for Non-Disclosure of Personal Data to Public Prosecutor

Posted on March 16, 2009 by Hunton & Williams LLP

On 2 March 2009, a Belgian Criminal court (Tribunal correctionnel de Termonde, No. DE 20.95.16/08/25) fined Yahoo! Inc., €55,000 ($71,745) for refusing to disclose to a Belgian Public Prosecutor the personal data of its e-mail users who were under criminal investigation for fraud. The Criminal court also imposed a daily penalty fee of €10,000 ($13,045) in a case of non-compliance with the judgment.  This decision was reached despite Yahoo!’s argument that Belgian law did not apply because the company does not maintain a legal entity in Belgium and does not store any customer data in Belgium.

In the context of a criminal investigation for fraud, the Belgian Public Prosecutor of Termonde had requested the disclosure of detailed account information to identify e-mail users using pseudonyms on their Yahoo! email accounts.  Yahoo! refused to disclose such information. The Belgian Criminal court held that Yahoo! had violated Article 46bis of Belgian Code of Criminal Procedure (Code d’instruction criminelle), which imposes on electronic communication service providers a duty to cooperate with a Public Prosecutor and to provide the identity of their users when requested by a Public Prosecutor in the course of a criminal investigation.

As mentioned above, Yahoo! argued that Belgian law did not apply because there is not a Yahoo! legal entity in Belgium and Yahoo! does not store any customer data in Belgium. Furthermore, Yahoo! argued that the Belgian Public Prosecutor had failed to issue a formal request in accordance with the procedures established by the Treaty on Mutual Legal Assistance on Criminal Matters, signed between the United States and Belgium on 1 January 2000. Following the ruling, Yahoo! appealed the judgment of the Criminal court on 3 March 2009.
 
Tags: , , , , , , ,

China's Amendment to Criminal Law Includes Data Protection Provisions

Posted on March 3, 2009 by Hunton & Williams LLP

The Standing Committee of the National People’s Congress recently passed an amendment to the P.R.C. Criminal Law.  The amendment includes a provision imposing criminal liability on persons who misappropriate personal information during the course of performing their professional duties.  A previous Hunton & Williams Client Alert reported on the amendment that has now become effective as law.  Click here for a detailed summary of the relevant requirements.

The amendment as passed imposes potential criminal penalties not only on government agency personnel, but also on personnel in financial, telecommunications, transportation, educational and medical institutions who may sell personal information or provide it to others.  In other words, the law appears to allow the imposition of penalties within the private sector, as well as on government officials who misappropriate personal data.  The law can also make an enterprise, or a supervising person within an enterprise (“management personnel with direct responsibility”), liable for such misappropriations that are conducted by the enterprise.

Possible penalties for such misappropriations include imprisonment for less than three years, imposition of a fine (as a single penalty or concurrently with other penalties), or detention.  The amendment also makes intrusions into computer systems outside the government sector and obtaining information stored, processed, or transmitted thereon a criminal act.

Companies in the financial, telecommunications, transportation, educational and medical sectors in China may want to establish internal procedures to prevent misappropriations of personal data within their enterprise, and to undertake employee educational efforts to foster awareness of the importance of handling personal data with appropriate care.
Tags: , , , ,