By Joshua Mooney, White and Williams LLP
The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.
In Menorah Park, plaintiff Menorah Park Center for Senior Living commenced a small-claims action against defendant Rolston to recover an unpaid debt related to health care services provided by the center. Id. at *1. Menorah Park attached to its complaint non-redacted copies of several account billing statements that included descriptions of medical services provided, dates the services were rendered, medical procedure codes, charges, credits and balances. Id. at *2. Rolston filed an answer and class-action counterclaim alleging violation of Ohio’s common-law claim for “breach of confidence” for the unauthorized disclosure of nonpublic medical information learned within a doctor-patient relationship. Rolston also moved to transfer the action to the municipal court’s regular docket, which the court granted. Id.
Menorah Park moved to dismiss the counterclaim, arguing that (1) the disclosure was authorized under the Health Insurance Portability and Accountability Act (HIPAA) because the disclosure had been made in connection with the facility’s attempt to obtain payment for services rendered, and (2) this permitted disclosure under HIPAA preempted the Ohio common law claim. Id. at *3. Rolston opposed the motion, arguing that her claim was not preempted and that, in any event, Menorah Park’s disclosure was unlawful under HIPAA because, by filing non-redacted copies of the statements, Menorah Park had not undertaken “reasonable efforts” to limit the disclosure of the protected health information (PHI) to the “minimum necessary” for the purpose of collecting payment. Id. The trial court nonetheless granted Menorah Park’s motion to dismiss; the Ohio Court of Appeals reversed and reinstated the claim. Id at *4.
The Court of Appeals appeared to reject the contention that the disclosure of Rolston’s medical information was authorized under HIPAA, noting that Menorah Park had used non-redacted copies of the account statements. Id. at *8-9. Nevertheless, the court did not decide the issue, instead determining that HIPAA did not preempt Rolston’s common law claim:
The Supreme Court of Ohio has continued to recognize the common-law tort claim for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information set forth in Biddle . . . . Sufficient authority exists to establish this common-law tort is not preempted by HIPAA, and the Supreme Court of Ohio has never indicated otherwise.
(Id. at *9-10.) The court further noted that “courts in other states have found that ‘HIPAA does not preempt state-law causes of action for the wrongful disclosure of health information.’” Id. at *11 (citing cases). Because Rolston’s common law claim for the unauthorized disclosure of nonpublic medical information is not preempted by HIPAA, the trial court’s dismissal of her claim was held to be in error and was reversed. Id. at *13.
What This Case Means. There are several implications that arise from this decision, the first being that law firms and litigants must undertake care when handling personal information, even an adversary’s in litigation. Several states recognize common law claims for unauthorized disclosure of medical information. In Pennsylvania, the Pennsylvania Supreme Court in Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), recognized a common law duty to protect personal information, which is a much broader category of data. To be fair, it does not appear that a law firm initially was involved in the Menorah Park lawsuit, and that Menorah Park made an unwitting error. Nevertheless, this case illustrates the potential (and significant) liability a party or its law firm may face if reasonable care is not undertaken when handling sensitive personal information in connection with litigation.
Some may ask why Menorah Park did not raise the Ohio Data Protection Act as a defense? The Ohio Data Protection Act creates an affirmative defense for the failure to maintain adequate data security when the organization maintains and complies with “a written cybersecurity program” that reasonably conforms with an industry-recognized cybersecurity framework or data security legislation, including HIPAA. Menorah Park did not raise the legislation because its motion to dismiss predated the legislation’s enactment and effective date. Had the legislation been in effect, however, it is still unclear whether it would provide Menorah Park with a safe harbor. The center filed several non-redacted account statements with its complaint, an act that the Court of Appeals at the minimum suggested fell short of HIPAA requirements. The conduct, as well as the state of Menorah park’s written data security program, could create genuine issues of material fact that would forestall early motions practice and could promise ongoing litigation.
The clear lesson here is to take care when handling sensitive data.
Joshua Mooney is a partner at White and Williams LLP in Philadelphia, and is Co-Chair of the firm’s Cyber Law and Data Protection group.