The Security Scrutinizer with Howard Anderson

California Privacy Case Worth Watching Case Centers on Disclosing Medical Information to Credit Agencies

The ruling paves the way for a Los Angeles lawyer to proceed with his lawsuit against a debt collector for allegedly disclosing his and his children's dental records and other personal information to credit reporting agencies without his permission, in violation of the state's medical privacy law.

The justices, in a unanimous ruling, overturned a state appellate court decision that the lawsuit must be dismissed because a provision in the state law, The Confidentiality of Medical Information Act, was preempted by the federal Fair Credit Reporting Act. Now the original lawsuit will go to trial.

The decision demonstrates a clear and positive statement that California law must be applied to protect medical privacy in this information age. 

An attorney for the now-retired debt collector in the case, however, told a San Francisco TV station that he is considering an appeal to the U.S. Supreme Court.

Dispute Over a $600 Bill

The privacy case began with a dispute over whether the LA lawyer, Robert Brown, owed his dentist $600 for a dental crown. Brown argued he never received the crown and refused to pay the bill. So the dentist referred the bill to the debt collector, Stewart Mortensen, who, over a period of time, sent various dental records and other information about Brown and his children to the nation's three major credit reporting agencies.

Brown sued Mortensen, alleging the debt collector violated the state medical privacy law, noting he made repeated requests to stop the disclosures to credit agencies. The state law, in most cases, requires patient authorization to disclose medical records to third parties and enables patients to sue anyone who discloses their health records without their permission.

The appellate court ruled that "all state law claims arising from the furnishing of information to consumer reporting agencies are preempted by the Federal Credit Reporting Act," the Supreme Court notes in its decision. "Reasoning that Mortensen had acted as a furnisher of credit information when disclosing the Browns' medical information to various credit agencies," the appellate court rejected Brown's lawsuit, the Supreme Court noted.

But in its ruling last week, The Supreme Court disagreed with the appellate court's conclusion that the Federal Credit Reporting Act preempted the state law's provision requiring obtaining patient permission to share records with third parties. It also noted that the HIPAA Privacy Rule specifically favors "additional, more protective state legislation" on health information privacy.

KGO-TV in San Francisco quotes Brown as saying, "The decision demonstrates a clear and positive statement that California law must be applied to protect medical privacy in this information age." He told the TV station that in future trial court proceedings, he will seek to make the case a class action on behalf of all Californians whose medical information was turned over to credit agencies and other third parties without their permission.

So this privacy battle is far from over.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network