On June 23, the Minnesota Court of Appeals, the state's intermediate appellate court, provided two significant privacy-related rulings in Yath v. Fairview Clinics, Minn. Ct. App. No. A08-1556. First, the court ruled that posting of personal information on a publicly accessible Internet site satisfies the "publication" requirement of an invasion of privacy tort claim, regardless of the number of persons who actually view the site. Second, the court determined that the federal Health Insurance Portability and Accountability Act (HIPAA) did not preempt a state law that provided for a private right of action for unauthorized disclosure of patient medical records.
The Yath lawsuit arose when an employee of a Minnesota health clinic saw the plaintiff, an acquaintance, at the clinic and became curious about her visit. Knowing that it would violate clinic policy, the employee accessed the plaintiff's medical file and learned that the plaintiff had been diagnosed with a sexually transmitted disease. The employee was alleged not only to have shared this information with others verbally, but also to have created a MySpace Internet page on which she related information about the plaintiff's sexually transmitted disease, marital infidelity and other personal information. Although MySpace blocked access to the webpage after 24-48 hours, the page listed six "friends," indicating that at least that many people had accessed it.
When the plaintiff discovered that her sensitive information had been shared in this way, she sued the individuals involved and the medical clinic, asserting several claims, including invasion of privacy and a violation of Minn. Stat. §144.335, the state law then in effect that provided patients with a private right of action for the improper disclosure of information in their medical files. The district court granted the defendants' motion for summary judgment, finding that the posting of information on MySpace did not constitute "publicity" sufficient for an invasion of privacy claim and that the state medical privacy law was preempted by HIPAA.
Internet Posting as "Publication"
On appeal, the Minnesota Court of Appeals first addressed whether an Internet posting on MySpace constituted "publicity." To prevail on the invasion of privacy claim under state law, the plaintiff was required to show that: (1) the defendant gave "publicity" to a matter concerning her private life; (2) the publicity of the information would be highly offensive to a reasonable person; and (3) the matter is not of legitimate concern to the public. Quoting the Restatement, the court noted that "publicity" means that a matter is made public, either "by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge."
The two-justice majority in Yath determined that the publication of plaintiff's information on MySpace constituted communicating to the public at large. The court noted that the plaintiff's private information was posted on a public Internet page that was not password protected or otherwise "hidden," and therefore was available for anyone to view. The court reasoned that this sort of communication was "materially similar in nature to a newspaper publication or a radio broadcast, because upon release it is available to the public at large." The court further reasoned that publication on the Internet is like posting information in a shop window, or a late-night radio broadcast aired for a few seconds, each of which constitutes publicity under Minnesota law. Accordingly, it determined that the lower court erred by requiring the plaintiff to show that a certain number of people had actually viewed the page. That requirement, the appellate court explained, only applied to a privately directed communication.
In reaching its decision, the majority rejected the defendants' contention that the "social networking" nature of the MySpace site meant that the posting should be treated as a private communication. It explained that it did not matter whether the "medium is of general interest to the public," as the publicity analysis instead turns on "whether the content is conveyed through a medium that delivers the information directly to the public." Although it found that Internet publication constituted "publicity," the majority ultimately affirmed the district court's dismissal of the plaintiff's invasion of privacy claim on another ground—namely that the plaintiff failed to provide evidence that the named defendants were involved in creating the MySpace page.
The third judge, Judge Matthew Johnson, concurred in the majority's ultimate conclusion but was troubled by the per se rule that "the publicity element of an invasion-of-privacy claim is satisfied when private information is posted on a publicly accessible Internet site." He was particularly concerned that the court's rule treats all Internet sites alike, even though not all sites are designed to disseminate information to a large number of individuals, and that it assumes that every website is actually viewed or read by a large number of persons. Although Judge Johnson disagreed with the majority's analysis, he ultimately determined that the evidence supported a conclusion that the MySpace page at issue was directed to a sufficiently large number of individuals (as many as 80 people) to constitute "publicity" under the Restatement's second formulation.
State Law Claim Not Preempted by HIPAA
Subjecting the district court's construction of the state health privacy law to de novo review, the appellate court found that the law was not preempted by HIPAA. Acknowledging the general statutory rule that HIPAA supersedes any "contrary" provision of state law, the court noted that the state law is not "contrary" to HIPAA merely because the state law is different. Instead, the critical inquiry in evaluating whether a law is contrary to HIPAA is if the provider "would find it impossible to comply with both the state and federal requirements" or if the state law is "an obstacle to the accomplishment and execution of the full purposes" of HIPAA.
In this case, the appellate court concluded that it was possible to comply with both HIPAA and the Minnesota state health privacy law because both laws share the similar goals of protecting the privacy of an individual's health care information and discouraging the wrongful disclosure of information from another person's health record. The main differences between the laws were their chosen remedies—criminal penalties for a HIPAA violation and civil damages for a violation of the state law. The court determined that there was no preemption; "[r]ather than creating an 'obstacle' to HIPAA, [the Minnesota law] supports at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record." Having so ruled, the Court of Appeals remanded the case to the district court to consider whether the Minnesota statute imposed liability on the clinic as employer.
Lessons from Yath
The law frequently struggles to evolve and adapt to technological advances, a struggle that is particularly relevant in the privacy context, where technology can play a significant role. Instead of holding that technological changes minimized the protection of privacy laws, the Yath court found that the "extraordinary advancement in communication" facilitated by the Internet "argues for, not against, a holding that the MySpace posting constitutes publicity." Yath therefore illustrates the courts' willingness to apply long-established privacy protection to modern realities. The Yath ruling also provides clear guidance regarding Internet publications and the invasion of privacy tort. The majority's broad rule likely will be helpful for plaintiffs in such cases, as the "publicity" element traditionally is a major obstacle in privacy litigation.
Finally, the Yath holding regarding HIPAA preemption should alert covered health providers to the importance of being aware of, and responsive to, state laws regarding the privacy of medical records. As the medical clinic in Yath learned, the unauthorized disclosure of medical information may expose a violator not just to HIPAA penalties, but also to private causes of action for damages.