Disclosure of med history, slander & libel?

Status
Not open for further replies.
E

elricho

New Member
Good day,

I am employed today in Connecticut, but was formerly employed in California. While in California, I used medical marijuana (cannabis) pursuant to California's SB 420 and Prop 215 with several doctors' endorsements. I made my employer (specifically, the CEO) aware of this situtaion in the event of a misunderstanding should they employ drug testing. A year later, I have transferred to CT, and the employment relationship has soured. The employer has stated that it has now come to their attention that I was using marijuana (no mention of medicine) and that I must comply with "drug free workplace policy" or my employment would be in jeopardy. FYI, my employment is in jeopardy anyway. In an email, the CEO stated that my prior med marijuana use was discussed with other(s). This infuriated me as now my personal medical history might become gossip in the office and industry, thereby affecting my future employment via a scarred reputation. I demaneded to know who my personal medical information/history was shared with and when, however, they have not yet responded. Common sense tells me that something wrong was done here, but I"m not yet sure. I have an attorney, but I'm not sure if he's even aware of CA's med-marijuana laws.

I have now had my workload removed, in what I perceive to be a preparation for my probabe termination.

Your thoughts?

Rich
 
Hippa

Type in HIPPA into your search engine. The site(s) you choose may expalin the law in relationship to your problem. Your lawyer should be aware of this law and whether or not it applies to your situation.
 
That's HIPAA..two As...thanks for the reply. That's an awfully long act, but it sure looks like it may have been violated in my case. There's much more detail that I didn't go into, but in sum, my past med-marijuana use is being used against me in both employment, and in gossip/character assasination.

Rich
 
There is no HIPAA violation here. HIPAA applies only to medical information an employer might obtain through their group health plan. It definitely does not apply to any medical information an employee tells their employer, including doctor's notes an employee presents. It may have been bad form for your employer to discuss your medical marijuana use but it did not violate any laws.
 
ADA - Americans with Disabilities Act

BETH3 - I know an employer can't discuss medical information with other employees no matter how he found the information out. Elrico - Since HIPAA doesn't seem to apply, check out ADA-the Americans with Disabilities Act. Elrico states that he had doctor consent for medical use of marijuana in CA. Elrico, IFyou still do (have doctor consent) in CT then a work place shouldn't be able to discriminate against you due to a disability. I don't know anything about the CT laws concerning medicinal marijuana use, but if it's not allowed there then it would seem there would definately be a problem with continued use and would not be medicinal anymore. You have lawyer, what does he say? How did the CT employer "find out" about the med marijuana; does he say? If you are not using it anymore and only used in CA where it is legal, what is the basis for CT to bring it up? Remember this not legal advise, check everything out with your lawyer.
 
Quote from US EEOC

The U.S. Equal Employment Opportunity Commission:
Keeping Medical Information Confidential
With limited exceptions, an employer must keep confidential any medical information it learns about an applicant or employee. Under the following circumstances, however, an employer may disclose that an employee has cancer:

to supervisors and managers, if necessary to provide a reasonable accommodation or meet an employee's work restrictions;
to first aid and safety personnel if an employee would need emergency treatment or require some other assistance at work;
to individuals investigating compliance with the ADA and similar state and local laws; and,
as needed for workers' compensation or insurance purposes (for example, to process a claim).
 
Civil Code Sec. 56.20-56.245

CIVIL CODE
SECTION 56.20-56.245
56.20. (a) Each employer who receives medical information shall
establish appropriate procedures to ensure the confidentiality and
protection from unauthorized use and disclosure of that information.
These procedures may include, but are not limited to, instruction
regarding confidentiality of employees and agents handling files
containing medical information, and security systems restricting
access to files containing medical information.
(b) No employee shall be discriminated against in terms or
conditions of employment due to that employee's refusal to sign an
authorization under this part. However, nothing in this section
shall prohibit an employer from taking such action as is necessary in
the absence of medical information due to an employee's refusal to
sign an authorization under this part.
(c) No employer shall use, disclose, or knowingly permit its
employees or agents to use or disclose medical information which the
employer possesses pertaining to its employees without the patient
having first signed an authorization under Section 56.11 or Section
56.21 permitting such use or disclosure, except as follows:
(1) The information may be disclosed if the disclosure is
compelled by judicial or administrative process or by any other
specific provision of law.
(2) That part of the information which is relevant in a lawsuit,
arbitration, grievance, or other claim or challenge to which the
employer and employee are parties and in which the patient has placed
in issue his or her medical history, mental or physical condition,
or treatment may be used or disclosed in connection with that
proceeding.
(3) The information may be used only for the purpose of
administering and maintaining employee benefit plans, including
health care plans and plans providing short-term and long-term
disability income, workers' compensation and for determining
eligibility for paid and unpaid leave from work for medical reasons.
(4) The information may be disclosed to a provider of health care
or other health care professional or facility to aid the diagnosis or
treatment of the patient, where the patient or other person
specified in subdivision (c) of Section 56. 21 is unable to
authorize the disclosure.
(d) If an employer agrees in writing with one or more of its
employees or maintains a written policy which provides that
particular types of medical information shall not be used or
disclosed by the employer in particular ways, the employer shall
obtain an authorization for such uses or disclosures even if an
authorization would not otherwise be required by subdivision (c).



56.21. An authorization for an employer to disclose medical
information shall be valid if it:
(a) Is handwritten by the person who signs it or is a in typeface
no smaller than 14-point type.
(b) Is clearly separate from any other language present on the
same page and is executed by a signature which serves no purpose
other than to execute the authorization.
(c) Is signed and dated by one of the following:
(1) The patient, except that a patient who is a minor may only
sign an authorization for the disclosure of medical information
obtained by a provider of health care in the course of furnishing
services to which the minor could lawfully have consented under Part
1 (commencing with Section 25) or Part 2.7 (commencing with Section
60) of Division 1.
(2) The legal representative of the patient, if the patient is a
minor or incompetent. However, authorization may not be given under
this subdivision for the disclosure of medical information which
pertains to a competent minor and which was created by a provider of
health care in the course of furnishing services to which a minor
patient could lawfully have consented under Part 1 (commencing with
Section 25) or Part 2.7 (commencing with Section 60) of Division 1.
(3) The beneficiary or personal representative of a deceased
patient.
(d) States the limitations, if any, on the types of medical
information to be disclosed.
(e) States the name or functions of the employer or person
authorized to disclose the medical information.
(f) States the names or functions of the persons or entities
authorized to receive the medical information.
(g) States the limitations, if any, on the use of the medical
information by the persons or entities authorized to receive the
medical information.
(h) States a specific date after which the employer is no longer
authorized to disclose the medical information.
(i) Advises the person who signed the authorization of the right
to receive a copy of the authorization.



56.22. Upon demand by the patient or the person who signed an
authorization, an employer possessing the authorization shall furnish
a true copy thereof.


56.23. An employer that discloses medical information pursuant to
an authorization required by this chapter shall communicate to the
person or entity to which it discloses the medical information any
limitations in the authorization regarding the use of the medical
information. No employer that has attempted in good faith to comply
with this provision shall be liable for any unauthorized use of the
medical information by the person or entity to which the employer
disclosed the medical information.



56.24. Nothing in this part shall be construed to prevent a person
who could sign the authorization pursuant to subdivision (c) of
Section 56.21 from cancelling or modifying an authorization.
However, the cancellation or modification shall be effective only
after the employer actually receives written notice of the
cancellation or modification.



56.245. A recipient of medical information pursuant to an
authorization as provided by this chapter may not further disclose
such medical information unless in accordance with a new
authorization that meets the requirements of Section 56. 21, or as
specifically required or permitted by other provisions of this
chapter or by law.
 
Calalily, it has not been established that the protectionos of the ADA apply. Regarding the civil code you cited, that is out of context and consequently there is no way of knowing whether that applies to employers in the private sector.

What I can tell you for certain is that medical information an employee shares with their employer is not protected by HIPAA and falls under the category of employee records and therefore is not protected by any medical confidentiality laws.
 
HI guys,

I'm enjoying watching your dialogue. I have a conversation with my CEO at 4PM EST (15 minutes from now). I'll let you know what he thinks his position is. Darn, I thought I had something with the civil code. I'll update you.


Rich
 
Well, apparently their attorneys thought that they had a greater exposure than is evidenced by some replied here. They folded and created a "new deal" in concession. Apparently their exposure was high.

I am going to counter-offer their proposal and keep you updated.

Thanks for your input,


Rich
 
You need to find out how the CT CEO discovered your prior medical history (you stated you told California CEO) and who he (CT CEO) told. Especially if you feel it may have damaged your professional reputation and hinder future employment opportunities in your field. As I stated before, employers are not allowed to give your medical information no matter how they discover it and it cannot be used against you to terminate you. A few very narrow exceptions exist where they may disclose info to your supervisor to help accomodate you or protect you, too long to explain in detail here. I still believe that ADA does cover this as does the civil code I mentioned earlier.
 
Beth3 said:
Regarding the civil code you cited, that is out of context and consequently there is no way of knowing whether that applies to employers in the private sector.
Click to expand...
No, it's not out of context. It is completely on-point, and, yes, it applies to both the private sector and public agencies.
 
Malibu Barbie said:
No, it's not out of context. It is completely on-point, and, yes, it applies to both the private sector and public agencies.
Click to expand...
Oh, sorry ... where's the edit button - lol! I just realized you said "civil code" ... that, I don't know, however, the Federal Code which applies to the EEO & EEOC governs the private sector and public agencies, and medical records are strictly confidential and should not have been disclosed to his co-workers ... especially his method of "treatment".
 
Please Read Highlighted Below where HIPAA is explained

Federal Law
HIPAA

The HIPAA Privacy Rule (45 CFR Parts 160 and 164) provides the "federal floor" of privacy protection for health information in the United States, while allowing more protective ("stringent") state laws to continue in force. Under the Privacy Rule, protected health information (PHI) is defined very broadly. PHI includes individually identifiable health information related to the past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Even the fact that an individual received medical care is protected information under the regulation.

The Privacy Rule establishes a federal mandate for individual rights in health information, imposes restrictions on uses and disclosures of individually identifiable health information, and provides for civil and criminal penalties for violations. The complementary Security Rule includes standards for protection of health information in electronic form.

Rights Under the Privacy Rule

The individual, who is the subject of Protected Health Information (PHI), has the following rights under the Privacy Rule:


Right to access, inspect and copy PHI held by hospitals, clinics, health plans and other "covered entities," with some exceptions
Right to request amendments to PHI held by "covered entities"
Right to request an accounting of disclosures that have been made without authorization to anyone other than the individual for purposes other than treatment, payment and health care operations
Right to receive a Notice of Privacy Practices from doctors, hospitals, health plans and others in the health care system
Right to request confidential communications of PHI, e.g., having PHI transmitted to a different address or a different telephone number
Right to request restrictions on uses or disclosures, although the "covered entity" receiving the request is not obligated to accept it
Right to complain about privacy practices to the "covered entity" and to the Secretary of Health and Human Services
Limits on uses and disclosures
"Covered entities" that hold PHI may use it without an individual's consent for the purposes of providing treatment to the individual, for payment activities such as claims adjudication and premium setting, and for operating their businesses. They are also permitted to use and disclose PHI as required or permitted by other laws, e.g., laws related to reporting of child or elder abuse, public health oversight and national security investigations. However, those who have PHI must obtain an individual's signed authorization for use of PHI in marketing, research, fundraising, or any other activities that are not part of treatment, payment, health care operations, and other categories specifically identified under the Privacy Rule. A few types of disclosures require that the individual be given an opportunity to agree or object to the disclosure, e.g., whether information should be included in a hospital directory or given to clergy. Based on the professional judgment of a health care professional, some disclosures may be made to friends and family who are involved in an individual's care if such disclosures are found to be in the best interest of the individual.

In addition to specific restrictions on uses and disclosures, the Privacy Rule imposes a general "minimum necessary" requirement on those who hold and use PHI. Except for disclosures to the individual who is the subject of PHI or disclosures for treatment purposes, organizations must limit their uses and disclosures to "minimum necessary" information required to perform a task. They must have policies and procedures that specify what PHI can be viewed by different classes of employees within their workforces, what PHI should be released in response to routine inquiries, and must have a process in place for deciding what PHI should be released in response to non-routine requests.
"Covered entities" must also have formal contracts with their business associates, which use PHI to perform functions on their behalf. Examples of business associates include law firms, accounting firms, accreditation organizations, credentialing services, billing services and third-party administrators. Business associate agreements must stipulate that the business associate will safeguard PHI and will assist the "covered entity" in complying with its obligations with regard to individual rights and oversight by the Secretary of Health and Human Services.
Penalties for violations of privacy

The Privacy Rule includes both civil and criminal penalties for violations of privacy. Generally, penalties are expected to be assessed in cases where organizations or individuals act with willful neglect or intent to cause harm. Civil penalties are specified at $100 per violation, not to exceed $25,000 per person per year for identical violations. Criminal penalties for wrongful disclosure of PHI can go up to $250,000 and/or 10 years imprisonment if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Security standards

Requirements for safeguarding protected health information (PHI) are found in two separate but complementary Rules under HIPAA. The Privacy Rule requires "covered entities" to have in place "appropriate administrative, physical and technical measures" to safeguard PHI. This obligation must be passed on to business associates in business associate agreements and to researchers in limited data use agreements. The Security Rule, published in final form on February 20, 2003, contains considerably more detail about the meaning of appropriate safeguards.

Although the Privacy Rule applies to PHI in any form, including oral communication, the Security Rule applies only to PHI in electronic form. The standards are divided into three groups: administrative safeguards, physical safeguards, and technical safeguards. Administrative standards include risk analysis and management, assigning security responsibilities, policies and procedures, training of the workforce and contract requirements. Physical safeguards include access to facilities and workstations, as well as device and media controls. Technical safeguards include access controls and audits, authentication and transmission security.
 
You guys are awesome. I've now found a favorite website. Everything is discussed in these forums, and after reading your profiles, you all have some great backgrounds. For clarification, there is only ONE CEO. I moved from CA to CT, and stayed with the same company.

I told the CEO of my medication, as drug testing was proposed. Although anybody with $30 can pass a test, I disclosed the medication used to my CEO and showed my state med-marijuana ID card in order to avert any possible misunderstandings. This was over a year ago, and while I lived in CA, where it was "legal." CEO advised that this was not a problem, and stated that he appreciated me being forthright. Only since the relationship has soured has he used it as a weapon against me to:

1. Use as a reason to terminate

2. Protect against a wrongful termination suit

3. Embarass and hurt me (and my future viability in the market)

Adding insult to injury, he advised that he had discussed my condition with "others" in the company, in an email to me. Further, he told me to get in step with the "drug free workplace policy." My lawyer had a heyday after I shared everything today. A cursory review suggests that the employer violated the HIPAA, the above civil code AND has possibly slandered me, affecting my future. I work in a very tight-knit industry (yes, I deal with lawyers often), and it CAN certainly affect my future work. This is all in the context that I aspire to break away from the company, and possibly compete as a new entity. When I shared my aspirations with the CEO, the attacks started.

We're offering a counter, and it looks like we're well armed. We are hiring an economist @ $220+/hr in order to help assess damages. This is serious stuff folks. I have advised my other friends in management or ownership to avoid EVER disclosing somebody's medical history, no matter how benign it seems. A review of the emails by a third party will yield a quite direct threat by using my medical history as a weapon AND the disclosure to others.

FYI, you'd be shocked if you knew what my company does for business. They should know better. And YES, big recognizable companies do make these mistakes.

As always, thanks for your input, and I'll keep you posted.


Rich
 
Status
Not open for further replies.

Share this page

Get a free case review from a lawyer
Back
Top