Normally I do not like to comment on cases that are not final or court opinions that do not have a definitive outcome on a case. But this is an exception because of the topic, which is HIPAA and privacy, which can get overlooked too frequently. Also, because the facts are such that it could happen to other employers, it bears consideration.
The case is Myers v. Hog Slat, Inc., which is pending in the Northern District of Iowa. Myers was employed by Hog Slat and happens to have a daughter who is very ill. So ill, in fact, that she incurred medical expenses of around $1,000,000. The employer’s plan is a self-insured health plan, which paid the expenses. They then terminated Myers, which they claimed was for cause. Myers sued, making claims under the Americans with Disabilities Act (ADA) and interference with benefits in violation of ERISA (a Section 510 claim).
After the close of discovery, the employer moved for summary judgment. The Court denied the motion, which means the case can proceed to trial. The Court determined that the ADA prohibits discrimination against an employee due to expenses arising from a family member’s disability. But more importantly (from my point of view) was the fact that the Court cited numerous pieces of evidence that not only did the company executives know that Myers’ child was extremely ill, but they actively engaged in discussions about how they could limit the plan’s exposure to those claims. One key piece of evidence was an e-mail from Myers to the CFO updating him on the condition of Myer’s daughter. And therein lies the rub.
Arguably, Myers’ e-mail did not implicate HIPAA medical privacy concerns because the individual health information was provided by the father of the child, who was acting on behalf of and for the child. Information provided voluntarily by the patient himself or herself (or in this case the parent of a minor patient) is not protected health information (PHI) under HIPAA. Further, because the CFO knew about the sick child, he was able to review the plan expenses and deduce that the higher costs were associated with that particular dependent. Even that was not in and of itself a violation of HIPAA medical privacy (assuming his role with the plan was part of the plan’s operation). So there is no indication that there was an improper use of PHI so as to create a privacy violation under HIPAA.
But just because there is not a violation does not mean the employer can freely act on that information. Remember that one of the purposes of the HIPAA privacy rules is to make sure that employees do not suffer adverse employment actions as a result of their employer getting wind of their medical costs paid by the plan. Here, the employer may not have violated the “privacy rule” but it still used that information to terminate the employee. So the fact that “medical information” may not be protected does not mean the employee is not still protected from an employer misusing that information.