by: David Rabinowitz

As published in the March 28, 2001 issue in iHealthcare Weekly

The revised Health Insurance Portability and Accountability Act Privacy Rule issued by the Department of Health and Human Services expanded the scope of protected information from electronically stored or transmitted information to information regardless of medium.  The revised regulations still do not and, under HIPAA, could not, create a private cause of action on behalf of individuals whose information is used or disclosed in violation of those regulations.  This limitation substantially mitigates the potential impact of the regulations on the health industry and its liability insurers.

Handlers of health information may be subject, however to a pair of related federal statutes that do provide rights to sue for individuals who have transmitted information electronically.  A recent decision of the federal appeals court for the Ninth Circuit (Konop v. Hawaiian Airlines1), interpreting the federal Wiretap Act of 1968 and the federal Stored Communications Act of 19862, clears at least one obstacle to a right to sue for the invasion of electronically transmitted or stored health information.

The case arose in a context far from medical records.  Konop, the plaintiff (who represented himself), was a pilot with Hawaiian Airlines.  He maintained a website where he criticized management and also criticized the pilot's union for being too compliant with management.

What made the case a privacy case is that the website was private.  Access was given only to certain airline employees, and not to managers or union officials.  In addition, to obtain a password to access the website, employees had to agree not to disclose its contents.

The airline nevertheless obtained access to the website, apparently by using pilots' passwords.  What the airline found on the website allegedly caused it to suspend Konop in retaliation.

Konop retaliated in turn with a lawsuit alleging a number of wrongs, including claims under the Wiretap Act and the Stored Communications Act.3  Both the Wiretap Act and the Stored Communications Act give individuals the right to sue.  The Wiretap Act gives a right to sue to any person whose electronic communication is intentionally intercepted, disclosed or used, unless the interception is one of the kinds permitted by the Act.4  The Stored Communications Act gives a right to sue to any person "aggrieved" by a knowing or intentional obtaining of access, either without or in excess of authorization, to information electronically stored by a facility through which an electronic communication service is provided.5  An "electronic communication" under both statutes is defined, with some exceptions, as any electronic transfer of information that affects interstate commerce.6  Damages under both acts includes the actual damages suffered by the plaintiff and any profits made by the defendant.  A successful plaintiff can receive counsel fees.  Successful plaintiffs under the Wiretap Act receive a minimum of $10,000 in damages, while the minimum under the Stored Communications Act is $1,000.7

What the Konop case established is that both Acts protect not only electronic transmissions of information, but also protect the transmitted information when it is stored electronically.  Reversing a dismissal in the court below, the appeals court held that Konop had stated a claim under both statutes.  Under the Wiretap Act, the issue that the Court addressed was whether the interception had to take place while the electronic communication was taking place, or whether access to the communication after the communication was stored was sufficient.  While criticizing the Wiretap Act as unclear, the Court at length concluded that accessing the stored communication constituted interception.  The Court had little trouble finding that a claim was stated under the Stored Communications Act.

There are a number of possible barriers to liability under both of these Acts, as against typical institutions in the health industry.  First is the question of whether such institutions and their computers and other electronic data storage and transmission facilities constitute an "electronic communications service", such that their stored communications of health information would be subject to the Stored Communications Act.  "Electronic communication service" is defined, in substance, as any service that gives users the ability to send or receive electronic communications.8  At least one case has expressed skepticism that a company engaged in a primary business other than that of communications transmission is such a service or facility.9  If the construction suggested in that case were generally adopted (there is not yet enough case law to know whether this will happen), it would probably protect most health insurers, hospitals, doctors and the like.  It might not, however, immunize entities that offer information transmission services as one of their primary businesses - clearinghouses, for example.

Second, the recipient of an electronic communication may "intercept" the communication under the Wiretap Act, or obtain access to the stored communication under the Stored Communications Act.10  Thus, a provider, for example, is not restricted by these Acts from accessing information sent to it.  However, the intended recipient may not disclose the information without "the lawful consent" of the transmitter.11  Thus, information disclosed beyond any consent given by a patient, for example, might still give rise to a claim under the Stored Communications Act, despite the absence of a right to sue under the HIPAA Privacy Rule mandating the consent in the first place.  Which statute would prevail?  Since the claim would arise under an Act other than HIPAA, the answer would appear to be that a right to sue would exist.

Firm answers are yet to be given to these questions.  They do suggest, however, that regardless of the absence of a right to sue under HIPAA regulations, and despite the condition of state privacy law in your institution's state12, a federal claim for invasion of the privacy of electronically transmitted or stored information, including health information, is taking shape.

1 236 F.3d 1035 (January 10, 2001).

2 Title II of the Electronic Communications Privacy Act of 1986, P.L. 99-508, 100 Stat. 1868.

3 18 U.S.C. §2701 et seq.

4 18 U.S.C. §2520(a).

5 18 U.S.C. §18 U.S.C. §2701(a), 2707(a).

6 18 U.S.C. §2510(12).

7 18 U.S.C. §18 U.S.C. §§2520(c)(2), 2707(c)

8 18 U.S.C. §2510(15).

9 State Wide Photocopy, Corp. v. Tokai Financial Services, Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995).

10 18 U.S.C. §2701(c)(2).

11 18 U.S.C. §§2511(3)(b)(ii), 2701(c)(2), 2702(b)(3).

12 Some states may provide an explicit cause of action for breach of privacy of medical information (e.g., see e.g. N.J. Stat. 17.23A-20).  These state laws would not be preempted by the HIPAA Privacy Rule.