Normally I do not like to comment on cases that are not final or court opinions that do not have a definitive outcome on a case. But this is an exception because of the topic, which is HIPPA and privacy, which can get overlooked too frequently. Also, because the facts are such that it could happen to other employers and I bears consideration.
The case is Myers v. Hog Slat, Inc., which is pending in the Northern District of Iowa. Myers was employed by Hog Slat and happens to have a daughter who is very ill. So ill, in fact, that she incurred medical expenses around $1,000,000. The employer’s plan is a self-insured health plan, which paid the expenses. They then terminated Myers, which they claimed was for cause. Myers sued, making claims under the Americans with Disabilities Act (ADA) and interference with benefits in violation of ERISA (a Section 510 claim).
After the close the discovery, the employer moved for summary judgment. The Court denied the motion, which means the case can proceed to trial. The Court determined that the ADA prohibits discrimination against an employee due to expenses arising from a family member’s disability. But more importantly (from my point of view) was the Court cited numerous pieces of evidence that not only did the company executives know that Myers’ child was extremely ill, but actively engaged in discussions about how they could limit the plan’s exposure to those claims. One key piece of evidence was an e-mail from Myers to the CFO updating him on the condition of Myer’s daughter. And therein lies the rub.
Arguably, Myers’ e-mail did not implicated HIPAA medical privacy concerns because there is no indication that the e-mail was sent for purposes related to the health plan. Further, because the CFO knew about the sick child, he was able to review the plan expenses and deduce that the higher costs were associated with that particular dependent. Even that was not in and of itself a violation of HIPAA medical privacy (assuming his role with the plan was part of the plan’s operation). So there is no indication that there was an improper use of PHI so as to create a privacy violation.
But just because there is not a violation does not mean the employer can freely act on that information. Remember that one of the purposes of the HIPAA privacy rules is to make that employee do not suffer adverse employment actions as a result of their employer getting wind of their medical costs paid by the plan. Here, the employer may not have violated the “privacy rule” but it still used that information to terminate the employee. So even though the “medical information” may not be protected does not mean the employee is not still protected from an employer misusing that information.