Reasonable Expectation Legal Blog Focusing On Privacy and Data Security Issues


Worried About Employees Snooping for Patient Information? Worry More.

Contributed by M. Scott Koller as part of the Privacy Matters series.

Hospitals are facing increased scrutiny over the privacy of patient medical records.  An investigation by HHS’s Office of Civil Rights concluded that a Southern California hospital failed to reasonably restrict access to patient information to only those employees with a valid reason to view the information.  A link to the OCR's decision is here.  As part of the settlement with Department of Health and Human Services, the hospital must implement new privacy and security policies approved by OCR, to conduct regular trainings for all employees with access to protected health information, to sanction offending employees, and to designate an independent monitor who will assess the hospital’s compliance over the next 3 years.

Interestingly enough, this settlement comes on the heals of a dramatic increase in enforcement activity by the HHS.  The most recent enforcement action is the third major settlement to be announced this year.  In fact, the first monetary penalty imposed by the HHS for violations of the HIPAA Privacy took place on February 22, 2011 when HHS fined Cignet $4.3 million for failing to provide 41 patients with access to their medical records.  That same month, Massachusetts General Hospital paid the HHS $1 million in connection with the loss of 192 billing records for HIV/AIDs patients.  The HHS confirmed the renewed focus on HIPAA violations in a statement by OCR’s Director Georgina Verdugo stating, "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement."

As a result, covered entities should take this opportunity to take a close look at their HIPAA compliance programs in light of the HHS’s increased enforcement efforts.

Tagged as: , , , No Comments

Blizzard Reverses Decision to Post Subscriber’s Real Names on Internet Forums

The video game publisher Blizzard has reversed its decision that would have required anyone posting on their forums to use their real name.  Blizzard is the developer of several highly popular video games, including World of Warcraft, the top MMO with over 10 million subscribers.  For each of its games, Blizzard operates a internet forum where any subscriber can post comments, ask questions or just interact with fellow gamers.  Of course, as with the rest of the internet, these forums are infested with juvenile antics, name calling, offensive, inappropriate and sometimes irrelevant material. As it so often does, hiding behind the veil of anonymity brings out the worst in some people.  Nethaera summed it up by saying:

The official forums have always been a great place to discuss the latest info on our games, offer ideas and suggestions, and share experiences with other players -- however, the forums have also earned a reputation as a place where flame wars, trolling, and other unpleasantness run wild.

Nethaera, Blizzard Employee. On July 6, 2010, Blizzard sought to counter act this phenomenon by requiring anyone posting or replying to a post on official Blizzard forums to do so using their real first and last name.  Therefore, instead seeing a character screen name, such as AFluffyBunny, subscribers would see the poster's full name.  As explained by Blizzard, "Removing the veil of anonymity typical to online dialogue will contribute to a more positive forum environment, promote constructive conversations, and connect the Blizzard community in ways they haven’t been connected before." Alas, this Utopian vision for the internet was not meant to be.

The negative reaction was overwhelming.  Outraged, hundreds of gamers took to the forums and blogs to condemn the decision.  In an attempt to trivialize the move, one Blizzard employee posted his real name on the forums.  Within minutes, his address, phone number, photograph and more was posted for all the world to see.  Ultimately, it took only three days for Blizzard to change its mind.  Citing community feedback, Blizzard reversed its previous decision stating that using your real name will not be required in order post on the forums.

Ultimately, I believe Blizzard made the right decision.  Cleaning up online forums its a lofty goal, but it is also a herculean task that violates two of the key tenets of the internet, free speech and anonymity.


Identity of Anti-Gay Marriage Supporters May Be “Out”-ed by Supreme Court Ruling

Upon entering or leaving my neighborhood grocery store, I am usually confronted by either children selling cookies or individuals seeking my signature or vote on a variety of political causes.  Even thought I am more likely to purchase a box of cookies than I am to sign a political petition, I have never considered the privacy implications of signing a petition, until now.

In Doe v. Reed, __ U.S. __ (Decided June 24, 2010), the Supreme Court addressed the narrow question of whether disclosure of referendum petitions would violate the First Amendment.  The facts are fairly straightforward.  In May of 2009, the State of Washington enacted a bill that would expand the rights and responsibilities of domestic partners, including same-sex domestic partners.   This bill, known as Senate Bill 5688, was drafted by the legislature and signed into law by Washington’s Governor Christine Gregoire.

Seeking to repeal the bill, a group by the name of Protect Marriage Washington started collecting signatures in order to place a referendum on the ballot that would give the voters the opportunity to vote on the bill.  Protect Marriage collected the required signatures and the referendum was placed on the ballot.  Prior to election night, the Secretary of State received several public records requests seeking disclosure of the names of the individuals who signed the petition.   This information would include the names, address and county of residence for each of the 137,000 signatures submitted.  The Washington Public Records Act (“PRA”) makes available for public inspection “any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function.”   Since the Secretary of State considered the referendum petition to fall under that definition, the identity of those who signed the petition was considered a public record.  Protect Marriage objected to the disclosure citing privacy concerns and sought a preliminary injunction to enjoin the disclosure of the petition signatories.

In an 8-1 decision, the Supreme Court held that the disclosure of referendum petitions do not, as a general matter, violate the First Amendment.  Writing for the majority, Chief Justice Roberts wrote:

“Public disclosure thus helps ensure that only signatures counted are those that should be, and that the only referenda placed on the ballot are those that garner enough valid signatures.  Public disclosure also promotes transparency and accountability in the electoral process to an extent other measures cannot.”

As a result, the Court held that the State’s interest in preserving the integrity of the electoral process is sufficient to defeat the argument that the PRA is unconstitutional when applied to referendum petitions.

On the surface, this holding seems to be relatively clear-cut.  However, when you dive a bit deeper into the Court’s opinion, you find that this issue is far from over On appeal to the Ninth Circuit, the plaintiff asserted two key arguments: first, that the PRA was unconstitutional when applied to referendum petitions in general and second, that the PRA was unconstitutional when applied this specific petition.  Since the Appellate decision was based solely on the first argument, the Supreme Court declined to address the second argument, which is arguably the stronger of the two.  Therefore, in the event this case returns to the Supreme Court, would the outcome remain the same?

In Reed, Chief Justice Roberts acknowledged that those resisting disclosure can prevail under the First Amendment if they can show “a reasonable probability that the compelled disclosure [of personal information] will subject them to threats, harassment, or reprisals from either Government officials or private parties.”  Reed citing Buckley v. Am. Constitutional Law Found. (Buckley II), 525 U.S. 182, 197, 119 S.Ct. 636, 142 L.Ed.2d 599 (1999).  In this case, the Respondents acknowledged their intent to publicly identify those who had signed the petition and broadcast the signers’ political views via a searchable internet website.  This, plaintiff argued, would be a blueprint for harassment and intimidation, effectively chilling future political participation.  However, a number of the Justices seemed to disagree.  Justice Stevens argued that “there would have to be a significant threat of harassment directed at those who sign the petition that cannot be mitigated by law enforcement measures” and that such harassment “is unlikely to occur in cases involving the PRA.”  Further, Justice Sotomayor, who was joined by Justice Ginsburg and Stevens,  viewed the burden on public speech as “minimal” and wrote that “disclosure of the identity of petition signers, moreover, in no way directly impairs the ability of anyone to speak[.]”  Even Justice Scalia, compared the act of signing a petition to the act of legislating, which he noted, “Our Nation’s longstanding traditions of legislating and voting in public refute the claim that the First Amendment accords a right to anonymity in the performance of an act with governmental effect.”

Apart from Justice Thomas, who believe the PRA was unconstitutional as applied to referendum petitions in general, the only other support came from Justice Alito.   Even though he voted with the majority, Justice Alito noted that “plaintiffs in this case have a strong argument that the PRA violates the First Amendment as applied to the Referendum 71 petition.”  Since it appears that at least five of the justices seem to be predisposed toward rejecting even a narrow First Amendment challenge to the PRA, its seems unlikely that signatories to the referendum petition will be able to remain anonymous.  Accordingly, anyone who is deciding whether to sign a referendum petition, should decide if they want to be publicly identified with that particular political issue.


Court Opinions