Individuals have a right of privacy in their medical records under various laws and under the U.S. Constitution. These rights aren’t unlimited, but you can restrict access to your health information and sue if someone violates your rights in certain situations. Your right to sue depends on who breached your privacy and how the breach occurred.

Suits against governmental entities

The 14^th Amendment of the U.S. Constitution protects an individual’s “zone of privacy.” Individuals have an “interest in avoiding disclosure of personal matters” including information about one’s body. As a result, the government cannot arbitrarily intrude into someone’s medical records. The intrusion could be by various forms of government action, including legislation which may permit access to one’s medical records by law or by individual actions of an agent of the government (such as a department, an officer, etc.).

However, the courts apply a balancing test to determine whether there has been an unconstitutional violation of one’s right to privacy. For example, in the recent case of Hancock v. County of Rensselaer, the plaintiffs worked for the county jail and had their medical records accessed by their employer without permission. The governmental employer was apparently concerned that employees may have been taking excessive sick leave and sought to access their medical records in order to verify whether his employees were actually sick when they took sick leave. The lower court incorrectly held that the Constitution only protects those medical records which contain evidence of medical conditions that are both serious and stigmatizing (i.e. would expose the patient to discrimination and intolerance). On appeal, the Second Circuit Court of Appeals reversed, clarifying that all medical records are protected, but the following factors must be weighed in order to determine if the breach was unconstitutional under the circumstances:

• the type of government interest (e.g., legislation vs. action by a government actor);
• the strength of the individual’s privacy interest (for example, whether the information was serious/stigmatizing, how detailed the medical record was, and whether the individual took any steps to disclose the information to third parties indicating that he/she was not concerned with maintaining the privacy of the medical information); and
• the context of the government action (e.g., was information accidentally disclosed during a public emergency or was there intentional or malicious conduct by the government actor, such as the employer in Hancock).

These factors are balanced against one another and each factor is not necessarily weighed equally. For example, as stated by the Court in Hancock, if the government’s action is malicious, whether the individual’s privacy interest is strong or weak becomes less important. However, if the government’s action in breaching the individual’s privacy was merely negligent, the strength of an individual’s privacy interest receives greater consideration.

Suits against private persons or entities

As discuss in a prior blog post, various state and federal laws protect the privacy of medical records, including the Health Insurance Portability and Accountability Act of 1996 (commonly referred to as “HIPAA”) and New York State confidentiality and privilege laws.

In addition, medical records are protected under the Computer Fraud and Abuse Act (“CFAA”). This is a federal law geared generally toward “hacking” and other unauthorized access and modifications of computer data. Violative conduct includes intentionally accessing a protected computer without authorization in a manner which results in damage. The CFAA provides for criminal prosecution as well as a private right of action whereby a private individual can sue the party for accessing their information without authority.

With respect to medical records, however, an individual can only sue if the access actually causes monetary loss ($5000 in 1 year) OR if accessing the medical information actually impacts the medical examination, diagnosis, treatment, or care of the individual. The latter element may be possible in situations where medical information is accessed and modified in some manner. In the case of Hancock, the plaintiffs argued that they would be deterred from seeking medical care knowing that their boss could access their medical records. While the Court did not accept this argument because it was too hypothetical, the Court did not discount the potential impact on an individual’s decision to seek care in a similar situation.

If you believe your medical records were accessed without your permission, contact us to discuss your options.

Learn more about our Commercial Litigation practice.