Can I Sue My Employer for Giving My Personnel File to a Third Party?
Full Question:
Answer:
To prove an invasion of privacy, the court must find a person had a "reasonable expectation of privacy." Courts are not in agreement on the precise definition of the legal standard of a "reasonable expectation of privacy." Invasion of privacy is the intrusion into the personal life of another, without just cause, which can give the person whose privacy has been invaded a right to bring a lawsuit for damages against the person or entity that intruded. It encompasses workplace monitoring, Internet privacy, data collection, and other means of disseminating private information. A non-public individual has a right to privacy from: a) intrusion on one's solitude or into one's private affairs; b) public disclosure of embarrassing private information; c) publicity which puts him/her in a false light to the public; d) appropriation of one's name or picture for personal or commercial advantage.
The answer will depend on the information that was released, such as whether it contained medical records. However, if you made your health a matter in the lawsuit, you will be deemed to have waived the confidentiality of related medical records. Business record of an employer regarding an employee generally aren’t confidential. The Americans With Disabilities Act (ADA) imposes very strict rules for handling information obtained through post-offer medical examinations and inquiries. Employers who are covered by the ADA must keep these medical records confidential and separate from other personnel records. The Health Insurance Portability and Accountability Act (HIPAA) also imposes privacy obligations on many employers who provide group health plans. (Employers who administer their own plans and have fewer than 50 participants don't have to comply with HIPAA's privacy rules, and employers that sponsor plans that receive only enrollment information have minimal obligations.) Under HIPAA, employers are required to protect the privacy of employees' personal health-related information by designating an in-house privacy official, adopting policies and procedures to keep this information private, and notifying employees of their privacy rights, among other things. An employer may ask an employee to voluntarily waive privacy rights in medical information, such as by signing a release of records to prove fitness for the job. However, if employers ask health care providers for information about employees, health care providers cannot disclose information without employee consent and authorization. And while HIPAA doesn't protect employment records, even if there is health-related information contained in those records, the information may only be used for the purposes expressly stated in the authorization that has been provided to the physician.
The Privacy Rule permits a covered entity to use and disclose PHI, with certain limits and protections, for TPO activities [45 CFR § 164.506]. Certain other permitted uses and disclosures for which authorization is not required follow. Additional requirements and conditions apply to these disclosures. The Privacy Rule text and OCR guidance should be consulted for a full understanding of the following:
Required by law.
Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local. Public health. PHI can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, and interventions.
Health research.
A covered entity can use or disclose PHI for research without authorization under certain conditions, including 1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; 2) for activities preparatory to research; and 3) for research on a decedent's information.
Abuse, neglect, or domestic violence.
PHI may be disclosed to report abuse, neglect, or domestic violence under specified circumstances.
Law enforcement.
Covered entities may, under specified conditions, disclose PHI to law enforcement officials pursuant to a court order, subpoena, or other legal order, to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of a crime or a death that may have resulted from a crime, or to report a crime.
Judicial and administrative proceedings.
A covered entity may disclose PHI in the course of a judicial or administrative proceeding under specified circumstances.
Cadaveric organ, eye, or tissue donation purposes.
Organ-procurement agencies may use PHI for the purposes of facilitating transplant.
Oversight. Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law.
Worker's compensation.
The Privacy Rule permits disclosure of work-related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.
Other Authorized Disclosures
A valid authorization is required for any use or disclosure of PHI that is not required or otherwise permitted without authorization by the Privacy Rule. In general, these authorizations must specifically identify the PHI to be used or disclosed; provide the names of persons or organizations, or classes of persons or organizations, who will receive, use, or disclose the PHI;
state the purpose for each request; notify individuals of their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances; be signed and dated by the individual or the individual's personal representative; be written in plain language; include an expiration date or event; notify the individual of the right to revoke authorization at any time in writing, and how to exercise that right, and any applicable exceptions to that right under the Privacy Rule; and explain the potential for the information to be subject to redisclosure by recipient and no longer protected by the Privacy Rule.
See the following for further discussion:
http://www.ogletreedeakins.com/publications/index.cfm?Fuseaction=PubDetail&publicationid=584
http://www.workplaceprivacyreport.com/2010/02/articles/ada/ada-confidentiality-drug-test-results-may-not-be-used-against-applicant-at-preoffer-stage/
http://www.privacyrights.org/fs/fs8-med.htm