California Privacy Case: An Update
U.S. Supreme Court Helps Bolster State LawA U.S. Supreme Court decision not to review a California privacy case involving disclosing medical records to credit agencies appears to help bolster the state's strong medical privacy law.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Back in June, I wrote about a California Supreme Court ruling that a key provision of a state privacy law is not preempted by federal regulations (see: California Privacy Case Worth Watching).
Now that the U.S. Supreme Court has chosen not to review the case (Mortensen v. Brown), a Los Angeles lawyer can proceed with his lawsuit against a debt collector for allegedly disclosing his and his children's dental records and other personal information to credit reporting agencies without his permission, in violation of the state's medical privacy law.
The California Supreme Court justices, in a unanimous ruling, overturned a state appellate court decision that the lawsuit must be dismissed because a provision in the state law, The Confidentiality of Medical Information Act, was preempted by the federal Fair Credit Reporting Act.
The state Supreme Court ruling, and the U.S. high court's refusal to review it, could help ensure the privacy of Californian's medical records.
History of the Dispute
The privacy case began with a dispute over whether the LA lawyer, Robert Brown, owed his dentist $600 for a dental crown. Brown argued he never received the crown and refused to pay the bill. So the dentist referred the bill to the debt collector, Stewart Mortensen, who, over a period of time, sent various dental records and other information about Brown and his children to the nation's three major credit reporting agencies.
Brown sued Mortensen, alleging the debt collector violated the state medical privacy law, noting he made repeated requests to stop the disclosures to credit agencies. The state law, in most cases, requires patient authorization to disclose medical records to third parties and enables patients to sue anyone who discloses their health records without their permission.
The appellate court ruled that "all state law claims arising from the furnishing of information to consumer reporting agencies are preempted by the Federal Credit Reporting Act," the California Supreme Court noted in its decision. "Reasoning that Mortensen had acted as a furnisher of credit information when disclosing the Browns' medical information to various credit agencies," the appellate court rejected Brown's lawsuit, the court noted.
But the state Supreme Court disagreed with the appellate court's conclusion that the Federal Credit Reporting Act preempted the state law's provision requiring obtaining patient permission to share records with third parties. It also noted that the HIPAA Privacy Rule specifically favors "additional, more protective state legislation" on health information privacy.
This privacy battle is not yet over. It will be interesting to see the outcome of the lawsuit in this important case.
Brown told me he's now pursuing a class action lawsuit against Mortensen in Los Angeles Superior Court on behalf of all Californians who may have had their healthcare records inappropriately shared with credit reporting agencies by Mortensen. He's seeking $1,000 for each individual affected.