For anyone involved in blogging or interested in information technology law or Internet privacy law, there is a strange case with some important lessons which was handed down by the District Court Western District of Kentucky last week. The case is Yoder v. University of Louisville, 2009 WL 2406235 (W.D. Ky. Aug. 3, 2009).The opinion is summarized well by Eric Goldman on the Technology & Marketing Blog.
Nina Yoder was a University of Louisville nursing student. She posted a blog post to MySpace entitled "How I Witnessed the Miracle of Life” that describes her first-hand observations from a school assignment to go watch a patient-mother giving birth.
Further…
Even if Yoder’s blog post was intended to be tongue-in-cheek, I can see why the blog post was so controversial. As just one example, the blog post repeatedly refers to newborn babies as "creeps." The court does not have kind words to describe the blog post, calling it "vulgar," "distasteful," "offensive," "crass and uncouth," and an "abject failure" as an attempt at humor. My personal take is that the blog post was, at best, ill-advised. I really can't imagine when I would want to work with a nurse who calls my baby a "creep," even if in jest, and (as discussed below) the amount of detail Yoder disclosed about her patient shows a reckless disregard for the confidentiality we expect from medical professionals.
When University of Louisville nursing school administrators discovered the post, they expelled Yoder from the nursing program on the grounds that she violated two contracts: the student honor code and a confidentiality agreement.
The linked opinion above quotes the entire blog post.
When University of Louisville nursing school administrators discovered the post, they expelled Yoder from the nursing program on the grounds that she violated two contracts: the student honor code and a confidentiality agreement.
The linked opinion above quotes the entire blog post.
The district court found that University of Louisville incorrectly interpreted the two contracts and reversed the school’s expulsion, ordering Yoder be reinstated into it’s School of Nursing.
Precision in Contract Drafting
Regarding the honor code, the court based its opinion heavily on the school’s lack of precision in the contract. The court noted that the school failed to provide a definition for the standard of “professionalism” in the contract (also, apparently the dean of the school could not provide a definition during a deposition). The court ultimately determined that the blog post was not unprofessional, but rather purely non-professional and, therefore, not governed by the contract.
I think the court’s decision here is poor. I suspect the School of Nursing intended for it’s professionalism standard in the honor code to extend beyond the borders of university grounds. The fact is that a full time nursing student is writing about experiences from her profession. When she wrote it should have no bearing. What she is writing about should be determinative.
This is a good note for anyone drafting or negotiating contracts. Lack of precision in use of contract terms can come back to haunt you. The school should blame themselves for the poor drafting.
Personally Identifiable Information
Regarding the confidentiality agreement, the more interesting determination by the court (in my opinion) is related to the personally identifiable information of the patient. The court found that Yoder did not disclose any personally identifiable information of the patient in her blog post. As stated by Goldman:
The defendants allege that the blog post disclosed "the following identifying information about the birth mother: the number of her children; the date that she was in labor; her behaviors; the treatment that she underwent (an epidural); her reaction to labor (vomiting); and the reactions of her family." The court says that none of this information was personally identifiable to the patient or her family because the post "does not disclose the birth mother's name, address, social security number, or the like. It does not disclose her age, race, or ethnicity. The Blog Post does not contain ‘financial’ or ‘employment related information’ about the birth mother. It does not disclose where she was in labor."
Disclosure of personally identifiable information is a HUGE issue in Internet law, information technology law and intellectual property technology law. While certain foreign governmental entities, like all members of the European Union, treat all personally identifiable information as belonging to the individual, and thereby protected, the U.S. treats such information as commercial and only protects certain sensitive types of information under regulation (e.g., online information about Children; medical information; certain financial information).
Here the court was presented with medical information – meaning the patient’s personally identifiable information is protected. Yoder signed a confidentiality agreement agreeing with the school to not disclose such information to others. The court’s determination that her disclosure was not a breach of this agreement draws an extremely narrow view of what constitutes personally identifiable information. A lot of questions are left open. If the information is enough to infer identity, is that enough (this Court seemed to take a view that it had to expressly disclose identity)? If the information is enough to package with other investigated information, is that enough (e.g., could a reporter find out identity by tying together the broad information that was disclosed in the post with other information that was found in a reasonable search of other hospital records)?
In the business law and technology law world, companies often agree to security standards to protect personally identifiable data. This has been pushed over the last decade by the stringent EU regulations. Clarifying the line of what constitutes personally identifiable information is an area of business that is becoming more important and an area of law that will see more and more attention in U.S. courts. Again, the Court here took a very narrow view – but it probably is not wise to base your security models on this decision.
~~~~~
Note: For Indiana entities, this case law is neither binding in Indiana state courts or it's federal district courts. However, it is considered persuasive precedent should a court in Indiana be presented with similar issues.
Powered by Compendium Blogware
Comments for SaaS Law - Case Addressing Personally Identifiable Information