- 2009 Volume 6 Number 4 October- December
- Legal Case Study: Florida Department of Corrections v. Lisa M. Abril (Fla. 2007)
Legal Case Study: Florida Department of Corrections v. Lisa M. Abril (Fla. 2007)
Cristina Palacio, Esq. Senior Associate General Counsel
The enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996 brought national focus on the issue of patient confidentiality. But long before HIPAA, Florida statute and common law both recognized the importance of patient confidentiality. To the extent that those statutes do not conflict with HIPAA, or provide even stronger protection than HIPAA, that law is still controlling today. Moreover, while HIPAA allows for the imposition of government sanctions against a person or entity that violates its provisions, it does not provide a private cause of action. State law, however, does. In Florida Department of Corrections v. Abril, we see how a patient can directly recover damages from an entity that inappropriately discloses confidential personal health information.
In this case, Lisa Abril, a licensed practical nurse at the Hendry County Correctional Institution (HCCI) gave unprotected mouth-to-mouth resuscitation to an inmate. The inmate was known to have hepatitis C, but his HIV status was unknown. Considering herself to have suffered a significant exposure, Ms. Abril sought to have herself tested for hepatitis C and HIV through Continental Laboratory, a lab under contract with the State Department of Corrections (DOC) to provide HIV testing for inmates. After the test was performed, a DOC department employee requested information about the test to investigate a concern that the use of Continent Laboratory for testing Ms. Abril’s blood was not authorized. In response to the request, Ms. Abril alleged that Continental transmitted Ms. Abril’s test results – including a (false) positive HIV test result – to unsecured fax machines in the HCCI office and in the Tallahassee DOC office, resulting in the unauthorized disclosure of the positive HIV test result to a number of DOC employees. Allegedly as a result of the improper disclosure (not the misdiagnosis), Ms. Abril had to undergo treatment for severe depression and posttraumatic stress disorder. Consequently, Ms. Abril filed a civil action seeking damages for, amongst other things, mental anguish and emotional distress as a result of Continental Laboratory’s negligent failure to ensure the confidentiality and privacy of her HIV test results, causing the test results to be improperly disseminated to unauthorized personnel.
As with all negligence cases, the first question in determining whether Ms. Abril had a viable claim that Continental was liable for negligence was whether it owed Ms. Abril a duty of confidentiality. (Note that the case indicates that the DOC has been sued. Ms. Abril’s complaint alleged, and DOC did not dispute, that the DOC was liable for Continental’s negligence as its agent.) In coming to the conclusion that Continental did owe Ms. Abril a duty of confidentiality, the Court relied on both statutory law and the right to privacy found in the Florida Constitution.
The Court began its analysis with Florida Statute section 381.004(3)(f), which provides that:
“Except as provided in this section, the identity of a person upon whom a[n HIV] test has been performed is confidential and exempt from the provisions of [the public records law]. No person to whom the results of a test have been disclosed may disclose the test results to another person except as authorized [by law].”
Citing to Florida cases that “have long recognized that the violation of a statute may be utilized as evidence of negligence” the Supreme Court found that section 381.004(3)(f) “at a minimum, creates a reasonable standard of care for handling HIV testing results” and that if proven during trial, the allegations made by Ms. Abril could be sufficient to indicate that Continental had acted negligently by violating the duty imposed by section 381.004 to maintain confidentiality of HIV test results and disclose only as authorized by law.
Furthermore, the Court noted that, in addition to the explicit confidentiality provisions of F.S.
§381.004, Florida Statute section 483.181(2), which governs clinical laboratories, mandates a lab to report its test results “directly to the licensed practitioner or other authorized person who requested it.” The Court cited the clinical lab statute as another indication of the lab’s duty to maintain patient confidentiality. Of even more significance in the Shands HealthCare settings, in its analysis the Court specifically referred to F.S. §395.3025 (relating to hospital medical records) as a potential statutory basis for a breach of confidentiality negligence action. F.S. §395.3025 provides that, with limited enumerated exceptions, a patient’s medical records are confidential and cannot be disclosed without patient consent. Despite the fact that neither HCCI nor the DOC are subject to F.S.
§395.3025, the Court stated that “it [was] apparent that more than one Florida statute may have been breached by the disclosure of Ms. Abril’s confidential medical information.”
Moreover, the Florida Supreme Court stated that “[t]here is a long tradition of recognizing the privacy interest of patients in confidential medical records.” In so noting, the Court quoted from its own decision 5 years earlier in State of Florida v. Zina Johnson (Fla. 2002), in which it stated that “[a] patient’s medical records enjoy a confidential status by virtue of the right to privacy contained in the Florida Constitution….”
In Johnson, evidence obtained from a patient’s medical records was used to charge her with DUI manslaughter. Ms. Johnson was the driver in a single-car crash in which her passenger died. She was hospitalized with injuries, and during the course of treatment, blood was drawn. Pursuant to the requirements of F.S. §395.3025(4)(d), the hospital medical records statute, the State attorney tried to notify Ms. Johnson that her records were to be subpoenaed. The rationale behind the notice provision is that a patient should be granted the opportunity to object to the subpoena. Despite several attempts to serve notice to Ms. Johnson, the State attorney was unable to get her correct address (although a check of driver license records or post office forwarding addresses would have yielded it). Unable to fulfill the requirements of the Florida medical records statute, the State attorney instead relied on his general investigative subpoena power, which does not require notice to obtain the records (and which under HIPAA would have been sufficient). Ms. Johnson moved to suppress the evidence obtained from her medical records.
As noted above, the Johnson court recognized that a patient’s medical records enjoy confidentiality protection through the Florida Constitution right to privacy. But no Constitutional right is absolute, and so the Court analyzed the State’s actions under the well-established “compelling state interest” standard. That is, that the State may limit a constitutional right for compelling state interests. The Court acknowledged that controlling and prosecuting criminal activity is a compelling state interest. However, it also concluded that the subpoena notice requirement of F.S. §395.3025 is an appropriate legislatively established balance of a patient’s privacy rights with legitimate access to medical records for civil and criminal proceedings. Consequently, the Court held that the statute granting the State attorney investigative subpoena power does not override the notice requirement for obtaining medical records pursuant to subpoena under F.S. §395.3025, and the State was not permitted to use the information improperly obtained.
Note that in Johnson, no action was brought against the hospital for releasing the medical records pursuant to an invalid subpoena. The Court’s reference to F.S. §395.3025 in Abril, however, clearly indicates that such a release could be the basis of a breach of confidentiality negligence action against the hospital, or hospital personnel, for improper disclosure of medical records. How that case might look is illustrated by Suzanne Bagent v. Blessing Care Corporation, d/b/a Illini Community Hospital, and Misty Young (Ill. App. Ct. 2006). In Bagent, Misty Young, an employee of Illini Community Hospital, inadvertently disclosed that Suzanne Bagent was pregnant to Ms. Bagent’s twin sister – who happened to be a good friend of Ms. Young’s. Ms. Young, a phlebotomist, learned of Ms. Bagent’s pregnancy from a fax in the course of performing her duties. Later, meeting Ms. Bagent’s sister at the “tavern,” Ms. Young asked how Suzanne was feeling. When Suzanne’s sister asked what Ms. Young meant, she responded that she thought Suzanne was pregnant; upon further questioning from the sister, Ms. Young disclosed that she had seen the result of Suzanne Bagent’s pregnancy test. In finding the hospital could be sued for Ms. Young’s disclosure under the respondent superior (“let the master answer”) doctrine (providing that an employer may be liable for the actions of her/his employee), the court noted “the importance of the confidentiality of a patient’s medical records” and cited to Illinois statutes prohibiting hospitals and physicians from disclosing patient medical information without consent, except, as in Florida, under specifically enumerated circumstances. Ms. Young, while not subject to an action pursuant to the statutes, was potentially liable under a common-law right to privacy theory – much like the Florida Constitutional right to privacy.
Conclusion and Risk Reduction Tips
The importance of maintaining patient confidentiality cannot be overemphasized. A patient’s right to confidentiality of her/his personal health information is supported not only by HIPAA, but also by Florida State law, and the Florida Constitution. As these cases demonstrate, breach of that confidentiality can potentially expose both the hospital and the individual physician or hospital employee to a private negligence action under State law, and to potential sanctions by the Office of Civil Rights under HIPAA.
While familiarizing yourself with the statutes governing patient confidentiality is not practical, knowing the hospital policies relating to patient health information is essential. Those policies can be found in the “Confidentiality” section of Shands HealthCare Core Policies (CP 3 series), as well as CP1.35, CP1.18 and CP1.11; all of which are readily available on the Shands intranet website. And remember, when in doubt, contact Shands Legal Services and/or Privacy Office.