Email Security and Privacy: NY Hospital Retention Ruling Points Out Importance of Policies and Awareness

On October 17, 2007, there was a very interesting ruling regarding a doctor’s email communications sent to an attorney and the associated attorney privilege. In the matter of Scott v Beth Israel Med. Ctr. Inc. the New York Supreme Court found that the doctor’s email messages to his attorneys using the hospital network were not privileged and could be retained by the hospital even though the doctor wanted the hospital to stop retaining his messages and delete all emails related to his communications with his lawyers.

Some key points from the case:
* Beth Israel Medical Center and Continuum Health Partners Inc. (BI) in New York had a clearly documented and communicated policy that indicated that the email system was not for private or personal use, and that all email messages were subject to monitoring.
* Dr. W. Norman Scott indicated that that he was not aware of the policy.
* BI communicated this policy to everyone to which it applied, and provided evidence of this, and also gave notice of the policy to monitor all electronic communications whenever anyone accessed the BI network. Because of this, the courts rejected Dr. Scott’s claim that he did not know of the policies.
* Dr. Scott argued that New York state’s civil procedure rules, work-product privilege, or attorney-client privilege overrode the policies.
* Dr. Scott was communicating via email with his lawyer about a case he brought against BI in 2005 for breach of contract because he claimed he was being terminated without cause. At the time, BI agreed to pay Dr. Scott $14,000,000 in severance pay if he was terminated without cause. However, BI asserted that Dr. Scott was terminated for cause.
* BI retained all the email messages between Dr. Scott and his lawyers following the BI email retention procedures. However, BI staff did not read the email messages.
* Dr. Scott’s lawyers claimed that even though no one at BI read the email messages, that BI was violating attorney-client privileges by retaining the emails.
* The emails were all written between February 2004 and August 3, 2004 using Dr. Scott’s employee email address and were all sent over BI’s email server.
* BI’s email Policy states:

“This Policy clarifies and codifies the rules for the use and protection of the Medical Center’s computer and communications systems. This policy applies to everyone who works at or for the Medical Center including employees, consultants, independent contractors and all other persons who use or have access to these systems.
1. All Medical Center computer systems, telephone systems, voice mail systems, facsimile equipment, electronic mail systems, Internet access systems, related technology systems, and the wired or wireless networks that connect them are the property of the Medical Center and should be used for business purposes only.
2. All information and documents created, received, saved or sent on the Medical Center’s computer or communications systems are of the Medical Center. Employees have no personal privacy right in any material created, received, saved or sent using Medical Center communication or computer systems. The Medical Center reserves the right to access and disclose such material at any time without prior notice.”

* Every message Dr. Scott’s lawyers sent to Dr. Scott’s BI email address contained the following message:

“This message is intended only for the use of the Addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately.”

However, the court was not impressed by this; with regard to this they ruled,

“However, even the New York State Bar Association has stated, “a lawyer who uses technology to communicate with clients must use reasonable care with respect to such communication, and therefore must assess the risks attendant to the use of that technology and determine if the mode of transmission is appropriate under the circumstances.””

* The court stated,

“Dr. Scott challenges the policy of a hospital retaining the right to review its employees e-mails based in HIPAA, the federal statute that protects patient health information. First, the Court rejects this argument because the e-mail at issue is between Dr. Scott and his attorney has nothing to do with patients. Second, a hospital can certainly have access to its patients’ information. Dr. Scott’s suggestion otherwise is preposterous.”

* Ultimately the court found that because the policies were clearly documented and communicated that Dr. Scott did not have reasonable expectation of privacy in his email communications with his lawyers, and that BI had the right to retain and even monitor the emails sent through their systems.
This is a great case study to use in your email security and privacy awareness communications, and to incorporate into your targeted training to your management, IT email admins, HR and legal groups.
This case also provides a good validation for:
1) The need for documented information security and privacy policies and procedures in general, and specifically email and monitoring policies and procedures.
2) The need to provide ongoing awareness communications about the policies, such as those at BI with the login banner notification of monitoring policies.
3) The need to document and provide some type of log to show the communications did indeed occur.
It also points out that HIPAA cannot be used as the privacy scapegoat for every type of communication made within a healthcare organization, or any other type of HIPAA covered entity.
Another issue appears to be that Dr. Scott *may* have continued to use the BI email system after his employment termination. It doesn’t specifically state this, but is implied by the discussion revolving around the communications with his lawyers about his termination. For goodness sake, be sure to have procedures in place to remove all access to your systems and applications as soon as an employee leaves or is terminated!

Tags: , , , , , , , , , , , , ,

Leave a Reply