Health Information in Employment File Not Protected by HIPAA, Says Michigan District Court

A United States District Court in Michigan held earlier this month that patient health records contained in an employment file were not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

The plaintiff sued his former employer, a hospital, in a wrongful termination action. As part of discovery, the plaintiff requested his employment file from the defendant. The defendant complied. Contained in the file was a “Letter of Disappointment,” which identified a former patient of the plaintiff. In a mutual decision, the parties agreed that the file should be covered by a protective order. However, the plaintiff refused to sign the protective order stating that the defendants should also be required to sign the order and that the order should expressly state that it was protected by HIPAA. After the defendant refused to sign the order, the plaintiff alleged that by signing the order, the hospital would inadvertently admit that a HIPAA violation had taken place by releasing the file. The plaintiff urged the court to consider the alternatively proposed order and compel the defendant to sign same.

The court recognized that the documents contained protected health information but held that they were not subject to HIPAA because they were kept as a piece of the plaintiff’s employment file.

New Jersey Bill Sparked after Privacy Breach

The New Jersey Legislature has proposed a new bill requiring health insurers to encrypt personal health information on all of their computers. HIPAA suggests encryption where “reasonable and appropriate,” but there is no HIPAA requirement for encryption.

Approximately a year ago, Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) faced a privacy breach when two laptops containing unencrypted health information were stolen from their Newark headquarters. Included in the unencrypted data were records for nearly 840,000 members with their Social Security numbers, personal information, and clinical data. Horizon maintained that leaving the information unencrypted was a violation of company policy, and additional actions were taken to secure information on their computers. The New Jersey Legislature said the type of privacy breach found in the Horizon incident should be prevented and makes encryption necessary for health insurers that have a “critical priority” in safeguarding their members.