By Brandi O. Brown, J.D.
In an appeal stemming from a jail employee’s unauthorized access of a coworker’s medical records, the Second Circuit ruled that the district court was wrong to conclude that the employees whose records were accessed did not have a constitutionally protected right to privacy in those records. Whether or not the employee’s illness was stigmatizing factored into the strength of the privacy interest and not whether it existed in the first place. However, the appeals court agreed that the employees could not proceed with a Computer Fraud and Abuse Act (CFAA) claim because they failed to present evidence of economic damages or an impairment of their medical care. The district court’s judgment was vacated in part (Hancock v. County of Rensselaer, February 9, 2018, Pooler, R.).
Medical records accessed. In 2011, certain employees of the Rensselaer County Jail learned that their Samaritan Hospital files had been the subject of unauthorized access at the jail. This was made possible by the fact that the hospital had provided a jail employee with access to its password-protected system, the purpose of which was to facilitate continuity of care of detainees who received care from hospital providers. According to the plaintiffs, who were jail employees, their records had been viewed at the behest of the sheriff, who was attempting to rein in jail workers’ use of sick leave. In fact, it was undisputed that the sheriff had enforced a sick leave policy that penalized those employees who were deemed to have taken “excessive” sick leave. The defendants failed to offer an alternative explanation for the access of the plaintiffs’ medical records.
Multiple lawsuits were filed against the county. In the lawsuit that gave rise to this appeal, the employees alleged violations of their right to privacy under the Fourteenth Amendment’s due process clause, as well as their rights under the CFAA. The CFAA claim was dismissed and the constitutional claim was the subject of a later, successful summary judgment motion. With regards to the latter, the district court found that the employees failed to show they had a constitutionally protected right to privacy in their medical records because that right was limited to records that contained evidence of serious and stigmatizing medical conditions. None of the employees had information in their records that would expose them to discrimination, the court concluded; therefore, they could not establish that their rights had been violated.
Identified a constitutional right. With regards to the summary judgment decision, the Second Circuit found the district court had erred. The employees successfully identified a constitutional right by invoking the right to privacy in information about one’s body. The due process clause of the Fourteenth Amendment protects individuals in the Second Circuit from “arbitrary intrusions into their medical records,” the appeals court noted. However, this fundamental right is not an absolute one. Rather, a violation occurs only when the individual’s privacy interest outweighs that of the government in breaching it. With regards to executive actions, the evaluating court must ask “whether the action was so ‘arbitrary’ as to ‘shock the conscience.’”
Balancing act. When employees have not consented to their employer’s access, and that access has not taken a form previously approved by a court, the court must engage in “context-specific balancing.” The strength of the privacy interest in question is relevant, the appeals court explained, “but only in service of determining how strong the government’s interest must be in order to override it.” There are also other relevant factors. “If the right to privacy were to depend exclusively on the seriousness of the condition one seeks to keep private,” the court noted, “medical records would not truly be protected from arbitrary government intrusion.” Identifying that strength “never ends the analysis.” The executive branch’s interest in breaching that privacy must be examined. Thus, the stronger the individual interest is, the more compelling the reason must be for breaching it. However, even the weakest interests cannot be overborn by “totally arbitrary to outright malicious government action.”
Employer’s reason matters. In this case, the district court failed to consider factors beyond the seriousness or stigma of the employees’ diagnoses. Nor did the court consider the government’s intent in violating the employees’ privacy right. Not only should the district court reconsider whether it set the threshold too high in evaluating the employees’ condition, it will be “at least as important” for it to consider the fact that the employer failed to offer any reason for its breach. If the employees’ assertion is correct—that the sheriff had maliciously accessed the records in order to assist in enforcement of sick leave policies or in order to gain leverage over employees—then that would “likely” shock the conscience of the court, “regardless of the contents of” those records. “It is exactly this type of abuse of state power that protecting the zone of privacy is meant to guard against.”
The court also noted that, on remand, the district court should determine whether the sheriff and other individually named defendants are entitled to qualified immunity.
CFAA claims. However, the appeals court agreed that the employees failed to plead damages in support of their CFAA claims, which was required to proceed with subclause (I) of 18 U.S.C. sec. 1030(c)(4)(A)(i). They also failed to plead facts supporting either a potential or actual modification or impairment of their treatment or care, as required under subclause (II).
Interested in submitting an article?
Submit your information to us today!Learn More