Woman Charges WV Firm With Violating Her Patient Privacy Rights

October 10, 2018 - Elizabeth Fry, a resident of Logan County, West Virginia, has filed a state lawsuit in Kanasha Circuit Court charging that Charleston-based Molina Information Systems violated her patient privacy rights by providing third party access to her medical information without her consent, the West Virginia Record reported Oct. 8.

The lawsuit alleges that a Molina contractor approached Fry, who is terminally ill, regarding her medical condition. As a result, she says that she suffered emotional and suffering, mental anguish and distress, humiliation and embarrassment.

She is seeking a jury trial, monetary damages, plus interest, attorney fees, and court costs and expenses. She is being represented by Charleston-based attorney Alan L. Pritt of Pritt & Spano.

Patient privacy rights have been on the minds of consumers and state legislatures lately.

According to a recent survey of 1,000 consumers by health insurance company Aetna, 80 percent of consumers view patient privacy as a very important aspect of healthcare, and 76 percent have the same view of data security.

Eighty-four percent of women identified privacy as a top concern, while 71 percent of men identified it as one. Two-thirds of men said that data security was very important, while 80 percent of women said it was very important.

On the legislative front, Washington and California recently passed tough privacy laws.

A Washington state law, which took effect in June, limits the use of medical and mental health records in discrimination lawsuits, strengthening patient privacy rights.

The law is intended to prevent private details of plaintiffs of sexual harassment cases from being revealed in court.

As part of the discovery process, defense attorneys defending companies against sexual harassment charges could reach back into the plaintiff’s past, even as far as birth, for medical and mental health information they could use in their client’s defense.

Under the new law, defense attorneys can only request medical and mental health records going back two years in three specific circumstances:

• Plaintiff alleges a specific and diagnosable physical or psychiatric injury as a proximate cause of the defendants’ conduct
• Plaintiff relies on the records or testimony of a health care provider or expert witness to seek general damages
• Plaintiff alleges failure to accommodate a disability or alleges discrimination based on a disability

The law reverses a 2013 state appeals court decision that ruled plaintiffs must produce mental-health records when seeking emotional harm or distress in a discrimination suit.

While not specifically about patient privacy rights, the new California privacy law, which takes effect in 2020, is intended to strengthen consumer privacy rights and data security protections for state residents.

The law applies to commercial entities that do business in the state and collect personal data from consumers.

It provides consumers the right to access their personal information collected by a business, the right to delete the information, the right to know what information is being collected, the right to know whether and what personal information is being sold or disclosed, the right to stop a business from selling their information, and the right to equal service and price.

In addition, the law provides a modified, private right of action for data breaches and allows for enforcement by the state attorney general for other violations.

The legislature also passed amendments to the privacy law designed to correct drafting errors and clarify patent ambiguities, explained law firm Dorsey & Whitney.

The amendments in Senate Bill No. 1121, which was signed into law by Gov. Jerry Brown on Sept. 23, also contained provisions exempting HIPAA covered entities and business associates from the state law’s requirements. The bill would exempt PHI collected by a HIPAA covered entity or business associate or as part of a clinical trial from the state law.

The bill also extended the effective date of the privacy law, which was originally set for Jan. 1, 2020, due to objections from the attorney general about the tight timetable for having implementing regulations ready. As a result, no enforcement actions will be taken by the attorney general until the earlier of six months after final regulations are adopted or July 1, 2020, the law firm explained.