Dec 20 2023
Amanda DeMatteis: Hi, Josh.
Josh Goodbaum: Hi, Amanda. What are we talking about today?
DeMatteis: We actually got a question on YouTube, and I thought we should absolutely answer it and encourage our viewers: if you ever have questions, let us know, and we’ll try to answer them in a video like this one.
So this question, Josh, is: An employee overheard their boss telling a group of employees about someone else’s protected health information (PHI), and they reached out to us and said this doesn’t seem right. Could that employee do anything about that?
Goodbaum: Probably not, if what you’re asking is if the employee can sue. The employee hasn’t been injured, it’s not your private health information, and you probably don’t have enough distress to state a claim of any kind. So, you could tell the employee they’re making fun of what’s happening to him or her. And I think that would be protected conduct such that you couldn’t be retaliated against for it. But it’s probably not the kind of thing you would do anything about on your own, at least legally. As an ethical or moral matter, you could certainly go to your boss and say, “Hey, this doesn’t seem right. Could you, you know, stop doing this? I don’t appreciate it.”
DeMatteis: Let’s switch the hypothetical up a little bit and assume for a moment that you overheard your boss talking about your private health information. So, let’s assume you sent your boss an email about a health issue that you had going on, and you yourself overheard your boss sharing that confidential health information with other employees. Anything the employee can do then?
Goodbaum: Then, yes. Many people will be familiar with this federal law called HIPAA, H-I-P-A-A. It stands for the Health Insurance Portability and Accountability Act, and I’m sure you’ve signed a HIPAA authorization every time you’ve gone to a doctor, right? That’s how people know about it.
HIPAA says a lot of things, including that private health information needs to stay private. Now, there is no private right of action under HIPAA, and what that means is, if your rights are violated under HIPAA, in general, you can’t sue for that violation under HIPAA.
But there are two other ways that you could sue your employer for talking about your private health information with people who don’t need to know.
The first is under the Americans with Disabilities Act (ADA). The ADA requires that medical information given to an employer be kept confidential in most cases and shared only with those who need to know about it, like the folks in benefits or the folks in HR. And importantly, you generally don’t need to be disabled in order to have this protection. So, usually under the ADA, in order to sue, you have to show that you were disabled. Here, you don’t. Any of your private health information, even if it’s about you being perfectly healthy and not having a disability, is still private, and your employer shouldn’t be sharing it.
That’s a federal cause of action. And then there can be state law causes of action. Here in Connecticut, there could be a cause of action for invasion of privacy, for negligence, maybe for intentional infliction of emotional distress. Every situation is going to be a little different. But if your employer disclosing your private health information has caused you significant emotional distress, that’s a reason to go talk to a lawyer and at least explore your options.
DeMatteis: That’s really useful information, Josh. Thank you so much for sharing it with us. If you have any other questions about that, please feel free to give us a call. As always, thank you for watching. Take care.