Privacy Advisor

New Appellate Court Ruling May Foster HIPAA Litigation

October 1, 2006

Kirk J. Nahra

As privacy advocates, class action lawyers, interested consumers and others struggle to find means of enforcing privacy obligations in the courts, judges grapple with the question of whether entities that violate privacy laws properly face private damages liability. Because most national privacy rules (notably HIPAA and Gramm-Leach-Bliley) contain no private cause of action, plaintiffs struggle to find creative ways to sue over such privacy and security violations. For "injured" victims, finding an appropriate legal theory may be a critical threshold requirement to securing monetary damages. For companies facing privacy obligations, understanding these challenges is critical to appropriately assessing litigation risks.

This ongoing "debate, search and assess" effort is why the recent case of Sorensen v. Barbuto, No. 20050501-CA (UT Ct. App. Aug. 10, 2006, available at www.utcourts.gov/opinions/appopin/sorensen081006.pdf) is so interesting. In that case, a patient sued his former doctor for providing assistance to the defendant in a personal injury suit brought by the patient. The alleged facts are fairly egregious, but they highlight how a "HIPAA-like" claim can be maintained. The case also focuses attention on how - with the right facts - judges may seek out means of remedying HIPAA violations where a reasonably defined actual harm or particularly bad behavior is asserted.

Case Facts
The alleged facts are straightforward (if a bit bizarre). The plaintiff, Sorensen, suffered injuries in an automobile accident. The defendant, Dr. Barbuto, treated him for an extended period of time for these injuries. When Sorensen's medical insurer removed Barbuto from its preferred provider list, Sorensen terminated his treatment relationship with Barbuto and began to receive treatment from another physician.

Shortly thereafter (and apparently unrelated to this change in physicians), Sorensen filed a personal injury claim against the driver of the car that injured him. Barbuto was approached by the defense counsel in that case without Sorensen's knowledge or consent. Barbuto engaged in various communications with defense counsel, wrote a report for defense counsel's use and agreed to testify as an expert witness for the defense (against his former patient). Sorensen eventually prevailed in the personal injury case (and Barbuto's testimony was thrown out).

The Sorensen privacy law decision stems from Sorensen's subsequent suit against Barbuto, brought after Sorensen learned of Barbuto's involvement with opposing defense counsel. He asserted breach of contract and various tort claims against Barbuto, all of which were dismissed by the trial court. The recent decision of the Utah Court of Appeals reversed most of this dismissal.

The Court of Appeals Decision: Contract Claims
The court first addressed Sorensen's contract claims. While agreeing with Sorensen that his claim did not fail due to a lack of a written contract, it upheld the dismissal of this count on the ground that Sorensen had terminated his relationship with Barbuto prior to Barbuto's involvement with the defense counsel. The court explicitly indicated that the claim sounded in tort, rather than contract.

Tort Claims
The court next considered Sorensen's breach of professional duty claim (which included a breach of fiduciary duty claim). The court rejected Barbuto's claim that he violated no duty because Sorensen had placed his physical condition at issue in the case, finding that this "exception" to the physician-patient privilege doctrine could not be the basis for Barbuto to act against the patient in a suit where Barbuto was a third party. The court then held that "ex parte communication between a physician and opposing counsel constitutes a breach of the physician's fiduciary duty of confidentiality." The court also held that the trial court's dismissal of Sorensen's negligence claim was in error, as the fiduciary duty that existed in this situation could support a negligence claim.

The court also found that Sorensen could pursue a claim for intentional infliction of emotional distress. Because Barbuto not only communicated ex parte with defense counsel, but also became a paid advocate for Sorensen's adversary, the conduct by Barbuto met the standard of "extreme and outrageous" conduct necessary to sustain a claim for intentional infliction of emotional distress.

Finally, the court addressed the common law invasion of privacy claim, which focused on whether there was a "public disclosure of private information."The court found that Sorensen's private information was provided only to defense counsel and "a few incidental people," and therefore was insufficient to constitute a public disclosure of this information. Dismissal of this claim was upheld.

Impact of the Decision
Common law torts do not fit very well: As we have seen in other situations, the traditional common law tort of invasion of privacy does not accommodate many of the privacy and security breach situations that are generating attention today. Wrongful use of personal information, sloppy security practices, misuse of information for marketing purposes, etc.- all are "harms" envisioned by current privacy laws, and none fit well into the common law elements. As many court cases indicate, the common law of invasion of privacy does not provide much support for plaintiffs asserting injury from contemporary categories of privacy and security breaches.

Bad facts make for creative remedies: Bad facts - or particularly egregious behavior - do create incentives for courts to fashion a creative remedy. Here, Barbuto's behavior rose to the level of "extreme and outrageous" conduct - a very high threshold. Because such behavior also seems to turn the traditional doctor-patient role on its head, the court went out of its way to find a remedy. Few people will defend Barbuto's behavior in this case; whether the remedy is appropriate is a different question.

The case presents some similarities to an earlier federal trial court decision, where the court seemingly regarded the claimed behavior as unfair, even though it did not violate any specific law. In Ingram v. Mutual of Omaha Insurance Company, 170 F.Supp.2d 907 (W.D.MO. 2001), an insured sued her health insurer for breach of fiduciary duty in connection with the disclosure of medical records in response to a third-party subpoena. The facts in the case were essentially uncontested. The insured, Ingram, had been identified as a potential witness in an unrelated case. The defense attorney in that case subpoenaed Ingram's medical records from her health insurer. The insurer produced the records responsive to the subpoena, without seeking to quash the subpoena. Ingram's consent to produce the medical records was not obtained, nor was the insured informed that her records were being disclosed. Other parties challenged subpoenas seeking information about Ingram, and these motions were overruled, with the court holding that the information requested through the subpoenas was reasonably calculated to lead to the discovery of admissible evidence.

Following disclosure of her records, Ingram sued her insurer, alleging that the insurer had breached its fiduciary duty and physician-patient privilege when it disclosed her medical records in response to the subpoena. According to the court, the "central issue" in the case was whether the insurer's failure to object or file a motion to quash was a breach of the insurer's fiduciary duty. The court ultimately ruled in favor of the plaintiff. While Mutual of Omaha's behavior was nowhere near the "extreme and outrageous" conduct of Barbuto, the court apparently sought a remedy for what it viewed as insufficient efforts by an insurer to stand up for its insured.

Damages are still an issue and claims face an uphill struggle: The Utah Sorensen decision also reminds us that damages remain a problematic element of any privacy-related litigation - and that privacy claims still face an uphill battle in many circumstances, even where improper behavior has occurred. Even given his doctor's "extreme and outrageous" behavior, Sorensen still lost - decisively - in the trial court, and needed an appellate decision to send him back to the start of his lawsuit. He remains some distance from actually recovering significant damages.

A key decision as to the role of damages allegations in privacy cases is Smith v. Chase Manhattan Bank, 741 N.Y.S.2d 100 (App. Div. 2002). In Smith, a bank promised its customers that it would not and did not sell their personal information to third parties. In fact, the suit alleged, the bank sold customer lists to third parties, including a telemarketing firm. Moreover, the bank allegedly received a percentage of the profits from products sold as a result of these telemarketing services. A class of bank customers sued, alleging that the bank violated its obligations to the plaintiff class.

Despite these egregious allegations, the court dismissed the complaint, finding no allegations of actual damages. The court said that "the 'harm' at the heart of this purported class action, is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm." Moreover, "[t]he complaint does not allege a single instance where a named plaintiff or any class member suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail." Accordingly, the court found that the complaint was appropriately dismissed for failure to state a cause of action, i.e. no claim existed on the facts as they were alleged.

Smith is the clearest enunciation of the "no damages" theory - but not the only one. Clearly, with other fish to fry, the plaintiffs' bar has not been impressed by the potential "pot of gold" related to privacy litigation. Nor, despite the increase in privacy litigation in recent months, is there any particular evidence to indicate that courts are in any way more sympathetic to claims of damages in connection with potential privacy and security harms, outside of the limited range of cases where someone can be blamed for outrageous behavior.

Conclusion
We can continue to expect that plaintiffs (and their counsel) will invoke creative means of supporting privacy lawsuits. And, where the behavior is bad enough, or there is demonstrable harm, courts may be sympathetic, even if they have to fiddle with existing causes of action to make the punishment fit the crime.


Kirk J. Nahra is a partner with Wiley Rein & Fielding LLP in Washington, D.C., where he specializes in healthcare, privacy information security and counseling. He is chair of the firm's Privacy Practice and co-chair of its Healthcare Practice. He was elected to the Board of Directors of the International Association of Privacy Professionals, and serves as the Editor of The Privacy Advisor. He is a Certified Information Privacy Professional. He can be reached at +202.719.7335 or knahra@wrf.com

© 2006 Wiley Rein & Fielding LLP. Reprinted with permission, Privacy In Focus Sept. 2006. This is a publication of Wiley Rein & Fielding LLP providing general news about recent legal developments and should not be construed as providing legal advice or legal opinions. Consult an attorney for any specific legal questions.