Shared Patient Videos Lead to Class Action against Sharp Grossmont Hospital

By on June 30, 2016

On May 24, 2016, a class-action complaint was filed against Sharp Healthcare in San Diego, California, alleging violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the complaint alleges that Sharp secretly recorded approximately 15,000 videos of patients in Sharp’s year-long attempt to build a case against an anesthesiologist allegedly stealing the drug Propofol. Sharp allowed security guards to review the recordings, and released 14 of the recordings to the anesthesiologist’s defense attorney. Many of the videos depicted unconscious patients, nudity, Cesarean sections, or other surgeries.

The named plaintiff, Melissa Escalera, was allegedly filmed during a Cesarean section. The class potentially includes more than 1,000 patients secretly recorded by Sharp between July 2012 and June 2013. The complaint seeks class certification and damages for breach of fiduciary duty, breach of confidentiality, unlawful recording of confidential information, negligent creation and maintenance of medical information, unlawful disclosure of medical information, invasion of privacy, and distribution of private sexually explicit materials.

We will continue to monitor this story as it develops.

Filed under California’s Confidentiality of Medical Information Act, Health Insurance Portability and Accountability Act

Just When You Thought EU “Model Clauses” Are Safe to Transfer EU Data, Think Again

By on June 1, 2016

After the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework for EU-US data transfer, companies began to rely on the EU’s “Model Clauses” as a valid means of transferring data from the European Union. In fact, almost all multi-national corporations adopted “Model Clauses” as the interim best practice to transfer EU data from the European Union.

However, the EU “Model Clauses” do not directly address US national security surveillance laws, which remain unchanged and continue to apply to large multi-national corporations. This has given rise to this latest CJEU proceeding initiated by the Irish Data Protection Commissioner (DPC). The DPC recently announced that it will ask the CJEU to determine whether Facebook can transfer EU data from the European Union via the use of EU’s model clauses. A copy of the press release can be found here.

In addition to the ongoing EU-US Privacy Shield negotiations that will likely continue for at least the next year, we must now watch for the CJEU’s decision on whether EU “Model Clauses” adequately protect EU data from big government surveillance practices. Given the current state of EU data transfers, best practices must continue to be examined and developed by the data privacy industry.

Filed under EU-US Privacy Shield