[BreachExchange] Ohio Appellate Court dismisses privacy breach lawsuit against employer

Thu May 11 20:12:51 EDT 2017

http://www.lexology.com/library/detail.aspx?g=1c14c444-b12a-4849-8fcf-
5b1939184f71

A recently published decision of an Ohio Court of Appeals reminds us that,
particularly in this electronic age, employers need to be very careful in
the handling of confidential medical information. The decision is also a
reminder that sometimes the outcome of a case can depend on the precedent
in a particular appellate district.

In Templeton v. Fred. W. Albrecht Grocery Co. the 9th District Court of
Appeals (for Summit County, Ohio) the employee responsible for managing
workers’ compensation claims for the employer inadvertently sent a
psychological report regarding the plaintiff to other employees rather than
to the plaintiff’s attorney as she intended. The plaintiff brought suit
alleging unauthorized disclosure, negligence and invasion of privacy. In
response, the employer filed a motion to dismiss the claims as a matter of
law.

The trial court dismissed the unauthorized disclosure and negligence claims
at the outset and then, ultimately granted summary judgment as to the
invasion of privacy claim. The plaintiff then appealed.

In affirming dismissal of all of the claims, the court first addressed the
claim for invasion of privacy, which was essentially based on a claim for
public disclosure of private facts (among other types of invasion of
privacy claims). To establish such a claim, the court held that a plaintiff
must prove:

“(1) that there has been a public disclosure; (2) that the disclosure was
of facts concerning the private life of an individual; (3) that the matter
disclosed would be highly offensive and objectionable to a reasonable
person of ordinary sensibilities; (4) that the disclosure was intentional;
and (5) that the matter publicized is not of legitimate concern to the
public.”

Plaintiff argued that the court should follow a decision of the First
(Hamilton County) District Court of Appeals in not requiring that the
disclosure be intentional, but the court held that it was bound by its own
precedent. Further, it noted a number of decisions from other Ohio Courts
of Appeals that require intentionality as an element of the claim.
Accordingly, the court held that because the misdirection of the e-mail was
inadvertent, there was no actionable claim for invasion of privacy.

The court then addressed plaintiff’s claim for unauthorized disclosure and
breach of medical confidence, arguably based upon the Ohio Supreme Court’s
decision in Biddle v. Warren General Hospital. In that case the Ohio
Supreme Court recognized that a physician or hospital can be liable for the
tort of unauthorized, unprivileged disclosure of medical information to a
third party when the medical information is gained in the course of the
physician-patient relationship. Later, the Ohio Supreme Court extended that
principle in a situation where an attorney who had legitimately received
medical information during the course of litigation improperly disclosed
that information outside the context of the case. In addressing these
cases, the Court of Appeals concluded that the Biddle decision arose and
should be applied only in the physician-patient relationship and declined
to extend that holding to impose liability upon employers. Thus, dismissal
of that claim was affirmed as well.

Two judges joined in the majority opinion. The third judge dissented,
asserting that intentionality should not be a requirement for an invasion
of privacy tort and that it was time to extend the Biddle holding “to cover
an employer’s responsibility to safeguard the confidentiality of medical
records that it receives from healthcare providers,” particularly “given
the proliferation of electronic medical records in the years since Biddle
was decided and ever-mounting challenges to individual privacy in a digital
age.”

The Bottom Line

While this decision is good for employers, it reminds us that maintaining
the confidentiality of private, particularly medical, information is
critical to avoiding claims such as these. Further, courts are increasingly
protective of private information in this electronic age, and the law
followed by this court could change. And finally, it is notable that in
addressing the law applicable to a particular situation, there can be
differences among the various district courts of appeals in Ohio. Had this
case arisen in Cincinnati instead of Akron, the plaintiff might have had a
viable claim for invasion of privacy since the Hamilton County court of
appeals does not require intentionality for such a claim.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170511/7056efcb/attachment.html>