With a weekend of football championships behind us, this post tackles the privacy developments that employers here in Connecticut need to run down. Indeed, while I could just pass off two recent posts from my colleagues, it’s worth going through a progression of options.
One development is for the U.S. “patriots”, while another one lets you fly like an eagle to Europe to understand the implications that an EU regulation can have on US employers.
Since my beloved New York football giants were out of it since week one, I’m going to just quarterback what you need to know and, for the sake of everyone, put the football puns on the sideline for the rest of the post.
First up, the Connecticut Supreme Court last week recognized a private right of action that patients have against their doctors for unauthorized disclosure of confidential information obtained in the course of that relationship.” My colleagues in the Health Law group have a detailed post here. As noted by my partners:
This case is significant because it provides yet another avenue by which physicians may be held liable for violating HIPAA. This is because the Court decided in 2014 that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records …” Thus, if physicians owe a duty of confidentiality to their patients and violating HIPAA is found to breach that duty, the Court held that patients now have the right to sue their physician for damages caused by a violation of HIPAA. Whether a patient will be successful in such a lawsuit remains to be seen.
The case serves as a reminder to health care professionals and, perhaps just as importantly, to their staff to protect confidential health information to comply with the law and avoid legal liability from patients. If you do any work in the health care area, the decision and the tips flowing from the case are a must read.
On a broader scale, Connecticut employers that do business in Europe or do business from EU citizens should also take note of new regulations coming into effect in late May 2018. Again, my colleagues posted about this on the School Law blog, but it’s worth a look.
So what are we talking about? As my colleagues noted:
The requirements of the European Union (“EU”) General Data Protection Regulation (“GDPR”) come into effect on May 25, 2018. These regulations promise to usher in sweeping changes to the way institutions, companies, and other organizations collect and handle the personal data of EU residents.
The GDPR is a holistic set of data privacy requirements that address the entire life cycle of collection, use, and disclosure of the “personal data” of EU residents. While we anticipate jurisdictional challenges that may someday limit the GDPR’s reach outside of the EU, the law as currently drafted purports to affect institutions of higher education, companies, and other organizations, such as boarding schools, worldwide. This means that the GDPR will affect not only institutions that do business with or operate inside of the EU, but will also affect institutions in the United States that processes the personal data of persons residing in the EU.
For more on the subject, check out this comprehensive post from my fellow law partners.
Privacy law has increasing implications for employers and employees. Employers need to ensure proper training in these areas to ensure compliance.