Subscribe (Free) to
Daily or Weekly Newsletters
Post a Job

Featured Jobs

Regional VP of Sales

The Retirement Plan Company
(Remote / AZ / CA / CO / MN / MO / OR / WA)

The Retirement Plan Company logo

DB/DC Administrator

Primark Benefits
(Remote / San Mateo CA)

Primark Benefits logo

Retirement Plan Administrator

Nicholas Pension Consultants
(Remote)

Nicholas Pension Consultants logo

Client Relationship Manager

Wespath Benefits and Investments
(Remote / Glenview IL)

Wespath Benefits and Investments logo

Senior Consultant

Pentegra
(Remote / Putnam Valley NY)

Pentegra logo

Director of Member Services, Member/ Employer Experience

Orange County Employees Retirement System
(Santa Ana CA)

Orange County Employees Retirement System logo

Sr. Retirement Plan Administrator

Tycor Benefit Administrators, Inc.
(PA)

Tycor Benefit Administrators, Inc. logo

401(k) Plan Administrator

Abacus Retirement Solutions, LLC
(Remote / Albuquerque NM)

Abacus Retirement Solutions, LLC logo

Retirement Plan Administrator

Carpenter Morse Group Inc.
(Remote)

Carpenter Morse Group Inc. logo

View More Employee Benefits Jobs

Free Newsletters

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile App image LinkedIn icon
Twitter icon
Facebook icon

Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

4th Circuit Ruling in ERISA Preemption Case Has Implications for HIPAA Privacy


Summary: An employee's state-law privacy lawsuit alleging that her employer's plan administrator misused her health information is not necessarily preempted by ERISA, the 4th U.S. Circuit Court of Appeals ruled in Darcangelo v. Verizon Communications Inc. This case, possibly the first to analyze the ERISA fiduciary issues implicated by an alleged privacy breach, could have some bearing on a preemption analysis under HIPAA's privacy rules.

An employee's state-law privacy lawsuit alleging that her employer's plan administrator misused her health information is not necessarily preempted by ERISA, a federal appeals court ruled. The case is Darcangelo v. Verizon Communications Inc., No. 01-1679 (4th Cir., May 28, 2002).

The 4th U.S. Circuit Court of Appeals refused to dismiss the lawsuit because the conduct alleged by the employee might be unrelated to the administrator's fiduciary duties under the ERISA plan. If so, the suit is not preempted because it could not have been brought under ERISA, the court ruled.

Facts of the Case

Frances Darcangelo filed suit in Maryland state court against Verizon Communications Inc., her employer, and CORE Inc., the administrator of Verizon's disability benefit plan. She alleged violations of Maryland's statutes on medical record confidentiality and unfair and deceptive trade practices, in addition to common-law claims for invasion or privacy, negligence and breach of contract.

"The nub of Darcangelo's complaint is that CORE, acting as the agent of Verizon, solicited and disseminated Darcangelo's private medical information in order to assist Verizon in its efforts to declare Darcangelo a 'direct threat' to her coworkers so that she could be fired," Judge Blane Michael wrote for the unanimous three-judge panel. "Darcangelo, in other words, says that CORE did not obtain or disseminate her medical information for any appropriate purpose."

Verizon had the case "removed" to a federal district court, which dismissed all of Darcangelo's claims as preempted. However, the 4th Circuit reversed this ruling on all except the contract claim.

"The remaining four claims, relating to the confidentiality of medical records, unfair trade practices, privacy and negligence, cannot be disposed of on preemption grounds at the motion to dismiss stage," Michael wrote. "This is because the complaint, in setting forth these four claims, charges CORE with conduct that is entirely unrelated to its duties under the ERISA plan."

"The defendants' assertion, which the district court accepted, that the conduct in question arises out of the administration of an ERISA plan might well turn out to be true," Michael added. "But at the motion to dismiss stage, a court must accept the allegations of the complaint as true and view the complaint in the light most favorable to the plaintiff."

Turning to the ERISA preemption analysis, the court noted that ERISA preempts three major categories of state laws: (1) laws that mandate employee benefit structures or their administration; (2) laws that bind employers or plan administrators to particular choices or preclude uniform administrative practices; and (3) laws that provide alternative enforcement mechanisms to ERISA's civil enforcement provisions. It is this third category that could implicate Darcangelo's claims, the court explained.

"At first blush, it might appear that any claim by an ERISA plan participant or beneficiary against the plan administrator would of necessity be a claim for enforcement of ERISA rights that could be asserted only as a federal claim," Michael wrote. "In many cases brought by ERISA beneficiaries against their plan administrators, courts have held state law claims to be preempted as alternative enforcement mechanisms," he noted. "Unlike this case, however, those cases involved alleged misconduct by an administrator that was clearly undertaken in the course of carrying out duties under a plan."

Citing the U.S. Supreme Court's decision in Mackey v. Lanier Collection Agency and Serv., Inc., 486 U.S. 825 (1988), the court ruled that "the simple fact that a defendant is an ERISA plan administrator does not automatically insulate it from state-law liability for alleged wrongdoing against a plan participant or beneficiary."

The court therefore ruled that ERISA did not preempt Darcangelo's claims, except for her breach-of-contract claim, because it asserted a right under the ERISA plan terms. The court remanded the case to the U.S. District Court in Baltimore, noting that "further factual development, perhaps in summary judgment proceedings, might establish that the four [remaining] state law claims are preempted."

Implications

This case does not refer to or analyze HIPAA but it could have some bearing on a preemption analysis under HIPAA. In the preamble to HIPAA's privacy rules, the U.S. Department of Health and Human Services indicated that a state law preempted by ERISA probably would not apply to an ERISA plan under HIPAA. So to the extent that the district court determines that the Maryland state privacy laws in this case are preempted by ERISA, they could also be preempted by HIPAA.

The case may be the first to analyze the ERISA fiduciary issues implicated by an alleged privacy breach. Under the standard set by the court, if Verizon improperly disclosed Darcangelo's health information during the course of performing a duty under the plan, her state-law claims could be deemed to allege a breach of fiduciary duty under ERISA, and thus would be preempted by ERISA as an alternative enforcement scheme. By contrast, conduct outside the scope of plan administration duties (that is, obtaining information solely for the purpose of firing Darcangelo) would fall outside ERISA's scope, so ERISA would not preempt a state privacy claim based on that conduct. Whether the case's actual facts fall neatly into one of these two categories will have to be determined by the trial court.

The distinction between plan administration and employment functions is a common feature of ERISA and HIPAA's privacy rules, which require the establishment of "firewalls" between these two functions. HIPAA recognizes that an employer could obtain protected health information appropriately for a plan administration purpose, yet use it inappropriately for employment purposes. Doing so would violate the privacy rules and could result in a civil penalty. To the extent that the same activity is a breach of fiduciary duty under ERISA, it is unclear whether ERISA provides any additional penalty or remedy since no harm was done to the plan or its assets.

Reprinted with permission from the July 2002 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.
© 2022 BenefitsLink.com, Inc.