Doe v. Aetna Life Ins. Co., 2018 WL 6829728 (M.D. Fla. 2018)
A federal trial court has allowed an ERISA health plan participant to pursue a state-law claim for invasion of privacy against the plan’s insurer, after the insurer mailed information to the participant in an envelope with a large window through which the participant’s health information, including HIV status, was visible. The participant alleged that, by using the window envelope, the insurer improperly disclosed confidential health information. (The insurer acknowledged the improper configuration of the envelope in what appears to have been a HIPAA breach notification sent to the participant.) The participant brought state-law claims for breach of contract, negligence, negligent infliction of emotional distress, and invasion of privacy (specifically, public disclosure of private facts). The insurer moved to dismiss the claims.
The court held that the participant had standing to pursue the claims because he adequately alleged that unauthorized third parties, including postal employees and members of the participant’s household, “must have viewed” his personal information. The court further ruled that the express preemption provision in ERISA § 514 did not bar the participant’s claims because none of the claims was premised on plan administration, claims processing, or claim denial. However, the court determined that the claims for breach of contract, negligence, and negligent infliction of emotional distress were preempted by the exclusive enforcement scheme under ERISA § 502 because the participant failed to allege an independent legal duty—one not based on the ERISA plan documents—applicable to these claims. But the claim for invasion of privacy was based on an independent duty under state law and, therefore, was not preempted. And, according to the court, the participant adequately pled the required elements of this claim, despite the insurer’s contention that the participant had not pled actual publication of the sensitive information to even a single person.
EBIA Comment: This case highlights the complex interaction among HIPAA, ERISA, and state laws in the context of sensitive health plan information. Although the participant seems to have alleged that the insurer’s conduct violated HIPAA to support some of his state-law claims, he did not attempt to sue directly under HIPAA—a prudent decision since most courts do not recognize a HIPAA private right of action. However, as this opinion indicates, the absence of a private HIPAA remedy does not mean covered entities and business associates are off the hook, since a variety of state-law remedies may still be viable. And, of course, OCR enforcement can result in substantial penalties, as indicated by a recent resolution agreement involving HIV (see our Checkpoint article). For more information, see EBIA’s ERISA Compliance manual at Sections XXXIX.B (“ERISA Preemption in a Nutshell”) and XXXIX.H.6.e (“Claims for Invasion of Privacy in Connection With Claims Processing”); see also EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXI.D (“HIPAA Preemption Issues”) and XXI.E (“Impact of ERISA Preemption for Health Plans Subject to ERISA”).
Contributing Editors: EBIA Staff.