1. Negligence.  Employers could be liable for a leak of personal information if they failed to exercise the degree of care that a reasonably prudent person would have used under similar circumstances.
2. Publication of Private Facts. Employers may be liable if there has been public disclosure of private information that is highly offensive to a reasonable person and not of legitimate concern to the public.
3. Communicable Disease Requirements Under A.R.S. § 36-664, et seq. Arizona employers who obtain information about an employee’s communicable diseases (including Covid-19 under A.R.S. § 41-1466) from a health care provider must not disclose that information except for limited exceptions. Communicable diseases include Hepatitis A, B, and C; HIV; Legionnaires’ disease; cholera; anthrax; dengue; plague; mumps; measles; novel coronavirus infection; rubella; smallpox; tuberculosis; West Nile virus; yellow fever; and Zika virus.
4. Intrusion on Seclusion. Liability may be imposed when an employer, without authorization, intentionally intrudes on an employee’s solitude, seclusion, or private affairs. This intrusion would be highly offensive to a reasonable person.

Other claims may also be available, including intentional infliction of emotional distress or even a breach of contract. It’s important to note that only an attorney would be qualified to assess your case and determine which claims are available.

HIPAA and Your Records

You may be wondering, “Is this a breach of HIPAA?” 

Possibly. Your employer can fall under the requirements of HIPAA if they are a group health plan sponsor or a group health plan administrator, which many – but not all – companies are. If your health information was disclosed to the company as part of a group health plan, then that leak may breach HIPAA’s Privacy Rule. 

Unfortunately, healthcare isn’t simple. Whether your employer must comply with the Privacy Rule, and whether a leak constitutes a breach of the Privacy Rule, are two questions that require the precise analysis of a health law attorney.

If an attorney does determine that the leak was a violation of HIPAA, then the two most frequent recourses are to file a complaint with the Department of Health and Human Services (HHS) and to file a lawsuit against the employer for negligence.

Filing a Complaint with HHS

Anyone can file a complaint alleging a breach of the Privacy Rule by going to HHS’s Office of Civil Rights (OCR). The complaint must name the entity or entities at fault and describe the act(s) or failure(s) to act that broke the Privacy Rule. Importantly, the complaint must be filed within 180 days unless OCR extends the deadline if the complainant showed “good cause.”

A complaint is not a private right of action. In fact, HIPAA does not provide a private right of action at all. See, e.g., Runkle v. Gonzales, 391 F.Supp.2d 210 (D.D.C. 2005). This means that a complaint will never be a tool to get money from the employer for their misconduct. Instead, a complaint is a report to the federal government, which may investigate and impose a punishment on the employer. 

OCR may penalize the employer up to $100 per violation of the Privacy Rule, up to a maximum of $25,000 each year. 

OCR can refer violations to the Department of Justice for investigation and prosecution of criminal misconduct as well. Criminal penalties can range from $50,000 and one year in prison to $100,000 and five years in prison for breaches under “false pretenses,” and up to $250,000 and 10 years in prison, if the breach was committed with “the intent to sell, transfer, or use, protected health information for a commercial advantage, personal gain, or malicious harm.” Ariz. Emp. L. Handbook § 8.8.3 (2007) (citing 45 U.S.C. § 1320d-6).

Filing a Lawsuit against Your Employer

Filing a complaint in court opens the door to recovering money from your employer for damages you incurred due to their negligence. As explained above, HIPAA does not permit individuals to directly sue for breaches of the Privacy Rule – that responsibility is left squarely on the shoulders of OCR and the Department of Justice. However, if your employer was required to comply with the Privacy Rule and failed to do so, you can file a suit against your employer for the tort of negligence and use HIPAA to demonstrate how the employer failed to safeguard your information with the applicable standard of care.

Disability Discrimination and Retaliation

What happens if you have a disability and you submit a request for a reasonable accommodation, and your employer harasses you and discloses that condition to the rest of the company? In addition to claims for your employer’s tortious misconduct, you may also have rights before the Equal Employment Opportunity Commission (EEOC) for violations of Title VII of the Civil Rights Act of 1964, the Civil Rights Act of 1991, and the Genetic Information Nondiscrimination Act of 2008 (GINA).

Your employer cannot harass you for requesting a reasonable accommodation for a disability and gossiping about your disability to your co-workers or others outside the organization may be harassment. You can file a charge under oath with the EEOC, identifying and describing the misconduct and the parties at play, to initiate a federal investigation.

After you file your complaint, you may wish to sue your employer as well. In that event, you can request a special letter from the EEOC under 29 C.F.R. § 1601.28(a)(1) called a Right-to-Sue Notice. This notice is the first step to filing your lawsuit, and it is required before you are allowed to sue.

Government Employees

Arizona’s Constitution Article 2, Section 8 forbids the disturbance of one’s private affairs without the authority of law. In the field of employment law, Arizona courts have applied this to mean that local and state governments are responsible for the private information of their employees. This claim is most frequently brought by government employees to challenge disclosures of information related to drug testing.

Your Next Step 

Now you know the most frequent claims that may be available in Arizona when an employer has leaked health information. You’ve likely learned that employment law and the security of your health data are complex and important. 

If your health information was leaked, your employer may be liable. It’s time to get an attorney on your side. At Counxel Legal Firm we are experienced in health care law and will take action on your behalf. We strive to provide you with peace of mind and support throughout your entire process.  Contact us today and work with an attorney who cares. 

Note: This article was written with Arizona residents in mind however, we offer legal counsel in additional states. If you do not live in Arizona but would like to discuss your rights please contact us. We would be happy to assist you.