Hospital BAC disclosure prompts tort privacy claims

Photo by Marco Verch (CC BY 2.0)

The federal district court in Montana in December refused to dismiss an informational privacy claim against police, highlighting the space for state law to effect personal privacy protection in the United States.

Plaintiff Harrington was hospitalized after police found her unresponsive in her parked car. In the complaint, she alleged that sheriff's deputies "joked about her incapacitated condition and played along when nurses asked them to guess her blood alcohol content" (BAC). A nurse thereby disclosed Harrington's BAC, and, the complaint alleged, deputies then coaxed the record from a doctor. Harrington was charged with driving under the influence.

Subsequently, Harrington sued county officials and Madison Valley Hospital, the latter on theories of state statutory information privacy and common law invasion of privacy, negligence, and negligent infliction of emotional distress. The hospital sought dismissal on grounds that the federal Health Insurance Portability and Accountability Act (HIPAA), cited by the plaintiff in the complaint, affords no private right of action.  The federal district court, per Chief Judge Brian Morris, denied the motion to dismiss, recognizing that while HIPAA does not itself authorize private enforcement, it also does not preclude state law from providing greater privacy protection.

The case caught my attention because its facts point to something for which I've advocated, the use of tort law to fill gaps in informational privacy protection in the United States.  The law has not kept up with Americans' expectations of privacy, much less the norms of the world, but the common law should be sufficiently dynamic to reflect the evolving social contract.  I see drift in this direction in the expansion of medical fiduciary duty in emerging precedents in the states, such as Connecticut's Byrne v. Avery Center for Obstetrics & Gynecology, P.C., in 2018.

A theory as tenuous as negligent infliction of emotional distress, "NIED," can't usually stand on its own.  And tortious invasion of privacy has a poor track record in protecting personal information that is already in limited circulation.  However, paired with a medical provider's fiduciary duty and bolstered by a privacy violation recognized in regulation, either tort theory might be ripe for redefinition.

The case is Harrington v. Madison County, No. 2:21-cv-00015 (D. Mont. Dec. 6, 2021).  Hat tip to Linn Foster Freedman at Robinson+Cole's Data Privacy + Cybersecurity Insider.

First Circuit dismisses Mount Ida student class action, incidentally limits emerging data protection theory

Holbrook Hall, Mount Ida College, Newton, Mass. John Phelan CC BY 3.0

An angle in a recent First Circuit decision deserves a mention in U.S. data protection circles.  I hadn't been aware of this angle of the case, so hat tip to attorney Melanie A. Conroy at Pierce Atwood in Boston for analyzing the case carefully in the The National Law Review.

The First Circuit affirmed dismissal in the ugly and unfortunate matter of Mount Ida College students' class action against the school after its abrupt closure and sale to the University of Massachusetts system.  Conroy's rundown on the case is thorough.  I want only to highlight one important point: the court refused to recognize, in Massachusetts law, a fiduciary duty owed by university to student.

The decision comports with multistate norms, but is nonetheless important in limiting an emerging doctrine of data protection in U.S. common law tort.  State courts that have recognized something like a data protection right in civil cases have used fiduciary duty to bootstrap their way there.

American common law invasion of privacy is too stringent to get the job done, that is, to articulate a data protection right, for various reasons.  One reason is its incorporation of what Professor Daniel Solove termed "the secrecy paradigm": information must be kept secret to remain secret.  Thus, I cannot complain when my bank tells someone about my financial transactions, because I already let my bank know about them.  My resort must be to banking privacy law, by statute.  And there arises the second problem for privacy plaintiffs: statutes are too stringent to get the job done.  I might be unhappy if my employer divulges information about my psychiatric condition to my insurer, but neither one of them is a healthcare provider covered by the federal patient privacy law ("HIPAA"), which does not (directly) provide for a cause of action anyway.

In 2018, the Connecticut Supreme Court bridged the common law gap from statutory insufficiency to actionable privacy claim by relying on the physician-patient duty of confidentiality.  In short, the court held, HIPAA + duty of confidentiality = protectible common law interest.  The court thereby allowed a woman to sue her ObGyn provider upon an allegation of breached confidentiality.  That duty of confidentiality is a form of fiduciary duty.  So a theory emerged of how U.S. common law might stumble its way to recognition of what the rest of the world, especially Europe, calls "data protection."

There are a lot of ways for us to start catching up with the rest of the world in recognizing people's right to personal data integrity; this is just one.  And it remains.  But it is limited by the scope of duties that might stand in for that second piece of the equation.  The Mount Ida case shows correctly that it will be harder for a plaintiff to get there against a business defendant that is not a professional, and the data held are financial information tangential to the nature of the relationship, here, educational.

The First Circuit aptly instructed Mount Ida students that if they wanted better protection for their personal information in state law, their remedy was with the state legislature.  The same can be said for Americans, data protection, and our torpid Congress.

The case is Squeri v. Mount Ida College, No. 19-1624 (1st Cir. Mar. 25, 2020).  U.S. Circuit Judge Lynch wrote for the panel, which also included Stahl and Kayatta, JJ.