Doe v. Group Health Cooperative of Puget Sound, Inc. , 85 Wash. App. 213 ( 1997 )


Menu:
  • 932 P.2d 178 (1997)
    85 Wash.App. 213

    John DOE, Appellant,
    v.
    GROUP HEALTH COOPERATIVE OF PUGET SOUND, INC., Respondent.

    No. 37558-0-I.

    Court of Appeals of Washington, Division 1.

    March 3, 1997.

    *179 Brian William Chestnut, Ziontz, Chestnut, Varnell, Berley & Slonim, Seattle, for Appellant.

    Kathryn M. Battuello, Moody & Battuello, Seattle, for Respondent.

    James P. O'Connor, Gladstone, OR, for Amicus Curiae.

    BECKER, Judge.

    Group Health used John Doe's name and consumer number, without his authorization, to illustrate a training exercise on how to process mental health claims. Doe sued Group Health, claiming damages under the Uniform Health Care Information Act. Granting a motion for summary judgment, the trial court dismissed this claim. We reverse. Whether the trainer disclosed "health care information", and whether the disclosure met the "need to know" test, are factual issues warranting trial.

    Since 1979 Doe has been a highly-placed employee at Group Health. Doe succeeded in his career despite having a bipolar disorder, a form of depression. Doe took steps to avoid having his mental health treatment history become known within Group Health because he feared it would stigmatize him among his fellow employees. He used an alias when receiving in-patient services at a Group Health hospital. He specially designated his medical file at Group Health as "confidential". He went outside of Group Health for some mental health services. He prohibited his therapist from sending detailed notes to Group Health without his permission. And he declined Group Health reimbursement for medications and laboratory work so that others within Group Health would not learn of his mental condition.

    In 1991 an employee in Group Health's billing and claims administration department held a routine training session for at least four staff members from Group Health's mental health department. The purpose of the training program was to teach the trainees how to use the claim-processing system. The trainer devised an exercise that called for trainees to access specific patient information from the computer and to use that information to practice filling out a claim form. The trainer compiled a training manual for use at this particular session. For the manual the trainer selected the actual names and consumer numbers of several Group Health patients who had obtained mental health services from other providers. The trainer made an effort to exclude Group Health employees from the examples, but she inadvertently included Doe. His name and consumer number appeared in the training materials under the heading:

    CLAIMS ADMINISTRATION TRAINING PROGRAM

    Mental Health/King Street

    HISTORY INQUIRY

    Under Doe's name and consumer number was a full page of practice questions that the trainees were to answer regarding claim history once they had accessed Doe's computer file. Seeing Doe's name in the manual, one of the trainees exclaimed that her boss was included in the manual. The trainer then had the trainees remove and discard the objectionable pages without accessing Doe's patient information in the computer. One of the trainees later discussed the disclosure with someone, who told someone else, who told Doe.

    Doe filed suit against Group Health alleging unauthorized disclosure of health care information in violation of RCW 70.02, the Uniform Health Care Information Act. Upon cross-motions for summary judgment, the court concluded that Group Health disclosed no "health care information" as defined by that statute, and dismissed the claim.

    "HEALTH CARE INFORMATION"

    The Uniform Health Care Information Act, enacted in this state in 1991,[1] regulates the disclosure of health care information. The Act allows a private right of action against health care providers who do not comply.[2] Doe claims that Group Health violated the Act's prohibition against disclosure *180 of "health care information" without the patient's authorization:

    Except as authorized in RCW 70.02.050, a health care provider, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider may not disclose health care information about a patient to any other person without the patient's written authorization.[3]

    We will affirm the summary dismissal of Doe's claims only if we can say, after considering the facts in the light most favorable to Doe, that there is no genuine issue of material fact.[4] If Doe has raised a genuine issue of material fact, we must reverse.

    The Act defines "health care information" as "any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and directly relates to the patient's health care."[5] The trainees only saw Doe's name and consumer number; they did not go any further into Doe's file. Group Health takes the position that Doe's name and consumer number do not directly relate to his health care and cannot, as a matter of law, constitute health care information for purposes of the Act.

    The mere fact that Doe has a consumer number does not, by itself, directly relate to his health care. But the fact that a person is receiving a specific type of treatment is information directly related to that person's health care.

    The trainer did not say that she had selected actual mental health patients for use in the exercise. But the trainees—all employees of the mental health division—knew they were there to learn how to access the mental health treatment history of Group Health patients. And at least two trainees present did in fact conclude that John Doe received mental health services. We conclude a reasonable person could infer from the context of the disclosure that Doe was a recipient of mental health treatment. It therefore is possible for a jury to conclude that the use of Doe's name and number in this context disclosed "health care information."

    At the same time, Doe has not conclusively demonstrated that the circumstances of the disclosure necessarily informed those present that he was receiving mental health services. The trainer did not tell the trainees they would be working with consumers who had mental health claim histories. Only part of the exercise sheet was specific to inquiries regarding mental health. A finder of fact could reasonably conclude that the information about Doe that Group Health disclosed to its trainees was not information directly relating to his health care.

    "NEEDS TO KNOW" EXCEPTION

    Group Health next argues that even if the information disclosed was "health care information", the Act permits it to disclose such information to its own claims processing trainees without the patient's authorization.

    The Act makes a number of exceptions to the general rule against unauthorized disclosure of health care information, "to the extent a recipient needs to know the information".[6] Group Health invokes the exception allowing disclosure for certain administrative purposes:

    (1) A health care provider may disclose health care information about a patient without the patient's authorization to the extent a recipient needs to know the information, if the disclosure is:
    ....
    (b) To any other person who requires health care information for health care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the health care provider; or for assisting the health care provider in the delivery of health care and the health care provider reasonably believes that the person:
    *181 (i) Will not use or disclose the health care information for any other purpose; and
    (ii) Will take appropriate steps to protect the health care information....[7]

    The training exercise was conducted to satisfy a legitimate administrative need. The Act therefore permits the unauthorized disclosure of patient health care information to trainees "to the extent the recipient needs to know the information."[8]

    Group Health argues that the trainees needed to know how to access records properly. But the issue posed by Doe's suit is whether the trainees needed to use actual names to learn how to access records. The trainer acknowledged in her deposition that it would have been possible to conduct the exercise using only the consumer numbers for identification, and not the names. An expert witness testified that Group Health, without great expense, could alter its computer system so that names could not be revealed by the computer during a training exercise. This creates an issue for the finder of fact.

    Group Health contends that the "needs to know" requirement, if held applicable every time an administrative employee accesses patient files, will stifle important in-house communications and impair effective management. In Group Health's view, the Act contemplates unrestricted sharing of health care information among administrative employees so long as the organization properly trains its employees in rules of confidentiality.

    The Legislature has foreseen the problems that would result from an absolute ban on unauthorized disclosures of patient information. The Act provides numerous exceptions permitting disclosures without patient authorization when necessary to provide health care, to avoid imminent danger, for use in research, to perform an audit, and in numerous other circumstances.[9] But the Act subjects even these disclosures, unless required by law or compulsory process, to the "needs to know" limitation.

    Here, the issue is whether the trainees needed to know that Doe in particular had received mental health treatment. Doe has raised an issue of fact. A jury could conclude that Group Health was obliged to obtain Doe's permission before identifying him in a group training session as an example of a mental health patient.

    Group Health also attempts to invoke the Act's exception permitting unauthorized disclosure of "directory information" unless the patient has given explicit instructions not to provide it.[10] Directory information is information "disclosing the presence, and for the purpose of identification, the name, residence, sex, and the general health condition of a particular patient".[11] The statutory definition does not include the fact that a patient has received a particular form of medical treatment. Even if a jury decides that the disclosure in this case merely involved directory information, it would still be subject to the "needs to know" limitation.[12] A jury could reasonably conclude that the exception does not excuse Group Health from liability for the disclosure that occurred during the training session.

    In summary, all the issues under the Uniform Health Care Information Act are for the jury to decide. We reverse the trial court's order granting Group Health's motion for summary judgment on the statutory claim, and affirm the order denying Doe's motion for summary judgment of liability on the same claim.

    COMMON-LAW CAUSE OF ACTION

    As a separate cause of action, Doe asserted Group Health invaded his right to privacy by public disclosure of private facts. This common-law cause of action is defined as follows in the Restatement (Second) of Torts:

    *182 One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.[13]

    Since the trial court was of the view that the only disclosure was Doe's name and consumer number, the court concluded that the private facts disclosed could not be highly offensive to a reasonable person, and dismissed this claim as well. Doe has assigned error to this dismissal.

    Group Health argues that the publication must be made to the public at large.[14] Doe maintains that publication even to an audience of one may give rise to the cause of action.[15] Both parties rely on authority from other jurisdictions. They assume on appeal, as they did below, that Washington recognizes the common-law cause of action described in the Restatement. We are unable to verify that assumption.

    Invasion of privacy is a relatively new addition to the common law of torts. Its genesis is an 1890 law review article, "The Right to Privacy," by Samuel D. Warren and Louis Brandeis.[16] In 1911, in Hillman v. Star Pub. Co.,[17] the Washington Supreme Court reviewed a young woman's claim for damages resulting from a newspaper's publication of her photograph to illustrate an article describing fraud charges against her father. After considering the Warren-Brandeis article and other authorities, the court nevertheless declined to recognize a remedy for "an invasion of the so-called right of privacy."[18] The court declared that the plight of the plaintiff was "a subject for legislation".[19]

    In the 1947 case of Lewis v. Physicians & Dentists Credit Bureau,[20] the Supreme Court again considered whether an actionable right to privacy exists in Washington. The plaintiff claimed the credit bureau had invaded her right to privacy by calling up her employer to complain that she had not paid a doctor's bill. The court outlined its previous references to the right of privacy but found it unnecessary to decide whether invasion of privacy was an actionable wrong, since the conduct of the credit bureau would not constitute a violation in any event.

    A line of cases relied on by the parties has interpreted the Public Disclosure Act's reference to the "right to privacy"[21] by reference to the Restatement's chapter defining invasion of privacy.[22] In response to the Supreme Court's use of the Restatement to fill the definitional void, the Legislature in 1987 enacted a statute defining "right to privacy" in a manner consistent with that line of cases.[23] That statute also states that the disclosure chapter[24] provisions dealing with the right to privacy "do not create any right *183 of privacy beyond those rights that are specified in this chapter".[25]

    A few recent Washington cases have assumed the existence of a cause of action for invasion of privacy as a preliminary to concluding that there could be no actionable claim under the circumstances presented.[26] But the Supreme Court has not on any occasion explicitly abandoned its decision in Hillman, and we are not persuaded that these other references to a right of privacy have overruled Hillman implicitly. If the common-law cause of action for invasion of privacy does not exist in Washington, this court is not in a position to define its shape. On that basis we affirm the trial court's dismissal of Doe's claim for invasion of privacy by public disclosure of private facts.

    The dismissal of the statutory cause of action is reversed. The dismissal of the common-law cause of action is affirmed.

    WEBSTER and ELLINGTON, JJ., concur.

    NOTES

    [1] See Laws 1991, Ch. 335 (codified at RCW 70.02).

    [2] RCW 70.02.170.

    [3] RCW 70.02.020.

    [4] U.S. Life Credit Life Ins. Co. v. Williams, 129 Wash.2d 565, 569, 919 P.2d 594 (1996).

    [5] RCW 70.02.010(6).

    [6] RCW 70.02.050(1).

    [7] RCW 70.02.050(1).

    [8] RCW 70.02.050(1).

    [9] RCW 70.02.050.

    [10] RCW 70.02.050(1)(j).

    [11] RCW 70.02.010(2).

    [12] RCW 70.02.050(1)(j).

    [13] Restatement (Second) of Torts, § 652D.

    [14] See Wells v. Thomas, 569 F. Supp. 426, 437 (E.D.Pa., 1983); Restatement (Second) of Torts, § 652D, cmt. a.

    [15] See McSurely v. McClellan, 753 F.2d 88, 112-13 (D.C.Cir.1985); Miller v. Motorola, Inc., 202 Ill.App.3d 976, 148 Ill. Dec. 303, 560 N.E.2d 900 (1990); Beaumont v. Brown, 401 Mich. 80, 257 N.W.2d 522 (1977).

    [16] Warren and Brandeis, The Right to Privacy, 4 Harv.L.Rev. 193 (1890). See generally McSurely v. McClellan, 753 F.2d 88, 110-111 (D.C.Cir. 1985) (tracing the development of the tort of invasion of privacy); Lewis v. Physicians and Dentists Credit Bureau, 27 Wash.2d 267, 268-72, 177 P.2d 896 (1947) (same).

    [17] Hillman v. Star Pub. Co., 64 Wash. 691, 117 P. 594 (1911).

    [18] Hillman, 64 Wash. at 695, 117 P. 594.

    [19] Hillman, 64 Wash. at 696, 117 P. 594.

    [20] Lewis v. Physicians & Dentists Credit Bureau, 27 Wash.2d 267, 268-72, 177 P.2d 896 (1947).

    [21] RCW 42.17.310(1)(c).

    [22] See Hearst Corp. v. Hoppe, 90 Wash.2d 123, 136, 580 P.2d 246 (1978); Cowles Pub. Co. v. State Patrol, 109 Wash.2d 712, 720-27, 748 P.2d 597 (1988); Human Rights Comm'n v. City of Seattle, 25 Wash.App. 364, 369, 607 P.2d 332 (1980); Spokane Police Guild v. Liquor Control Bd., 112 Wash.2d 30, 37, 769 P.2d 283 (1989); City of Tacoma v. Tacoma News, Inc., 65 Wash. App. 140, 147, 827 P.2d 1094 (1992).

    [23] Laws of 1987, ch. 403, § 2 (codified at RCW 42.17.255).

    [24] RCW 42.17.

    [25] RCW 42.17.255.

    [26] See Mark v. Seattle Times, 96 Wash.2d 473, 497-99, 635 P.2d 1081 (1981); Eastwood v. Cascade Broadcasting Co., 106 Wash.2d 466, 722 P.2d 1295 (1986); Moloney v. Tribune Pub. Co., 26 Wash.App. 357, 613 P.2d 1179 (1980).