Protecting Private Medical Information: Liability for Unauthorized Disclosure

By Loni Eustace-McMillan, J.D., LL.M. Candidate

Unauthorized access to and disclosure of private medical information can have serious consequences for both the person whose information has been disclosed and for those who have violated the confidence. The Supreme Court of Ohio recently recognized two independent torts for violation of privileged medical information in Biddle v. Warren General Hospital, 715 N.E.2d 518 (Ohio 1999).

In Biddle, for over two years a hospital released all of its patient registration forms to a law firm without obtaining any prior consent or authorization from its patients to do so, and without pre-screening or sorting the records in any way. The law firm reviewed the records in an attempt to determine if any of the patients might be eligible for disability benefits under Supplemental Security Income (SSI). The records were sorted according to whether the patient might possibly qualify for SSI or not. The law firm telephoned the potential SSI candidates representing that they were calling on behalf of the hospital to inform the person they might qualify for SSI. If so, those benefits could help the patient pay their outstanding medical bill with the hospital. The hospital and law firm had an understanding that the hospital was the firm's client, but that at some point, the firm might also represent individual patients on SSI claims. Ultimately, an employee of the law firm, suspecting she was being terminated, photocopied these records and sent copies to a local television station. A class action suit was instituted against the hospital, the law firm, one attorney, and the hospital's administrator, executive director, and chief executive officer seeking compensatory and punitive damages, and injunctive relief.

The court held that Ohio law recognized an independent tort "for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship." Further, the court held that a third party could be liable "for inducing the unauthorized, unprivileged disclosure of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship."

The issues of maintaining the confidentiality of personal health information and protecting against unauthorized disclosure, dissemination, and use are at the forefront of national attention today. A survey released by the California Health Care Foundation in January 1999 revealed: (1) that one out of every five people believe their health information has been disclosed or used inappropriately; and, (2) one out of every six people engage in forms of "privacy-protective" behavior when they seek, receive, or pay for health care -- including paying for care out of their own pocket; seeing multiple providers to avoid the creation of a consolidated medical record; giving inaccurate or incomplete information on medical history forms; requesting medical providers not write down the health problem or record a condition less serious or embarrassing in their records; and not seeking health care to avoid disclosure to an employer.

Failure to respect the confidential, privileged nature of medical information and the unauthorized use and disclosure of such information occurs at many levels. A report published in July 1999 by the United State General Accounting Office, Medicare, Improvements Needed to Enhance Protection of Confidential Health Information, cited violations of Medicare beneficiaries' private medical information. These violations ranged from those committed by researchers to others committed by HCFA employees and contractors. In one instance, a HCFA employee admitted to looking at medical files of famous people. Another breach occurred when the director of Medicare payment safeguards at one of HCFA's contractors took a file from the workplace. She shared it with her physician husband who was employed by the same contractor, but in a private line of business. The file pertained to an on-going fraud investigation of another physician.

State laws relating to the confidential, private nature of health information vary greatly from state to state. Typically, state laws regulating the protection and dissemination of health information are located in various statutes, regulations, licensing provisions, evidentiary privileges, and common law. Generally, these laws are not located in one easily identifiable section of a state's statutes. Many times, the laws are located in different statutory titles associated more with the identity or type of user of health information than with the information itself. Enacted at different times, the laws address a variety of concerns and issues. Some are codified in statutes easily found while others are located in obscure sections of law. A comprehensive study and report prepared by the Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, entitled, The State of Health Privacy: An Uneven Terrain, contains an analysis and compilation of many of the laws applicable to each state. The report may be accessed at

Health care providers and entities having possession of, coming in contact with, transmitting or disclosing a person's medical information are at this time governed by a myriad of state laws. Additionally, pursuant to the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996, proposed federal regulations have been published by the Office of the Secretary of Health and Human Services (HHS) to establish privacy standards pertaining to health information. See Privacy/991109Proposed.html.