In the latest chapter of what has been a landmark year in sports law, several current and former minor league baseball players have filed a class action and collective action lawsuit against Major League Baseball (“MLB”) and all 30 individual teams for failing to pay salaries that met or exceeded the minimum wage on a per-hour basis, in violation of the Fair Labor Standards Act (“FLSA”), 29 U.S.C. § 201 et seq., and the wage and hour laws in five states. The suit, Senne v. Office of the Commissioner of Major League Baseball (3:14-cv-608-JCS, N.D. Cal. 2014), brings to the forefront the disparity in salaries earned by professional baseball players, puts MLB’s antitrust exemption under renewed scrutiny, and threatens to alter the business of organized baseball, which earned more than $8 billion in revenue in 2013. While the annual minimum salary for an MLB player is $500,000, and the average salary more than $3 million, the Plaintiff class claims that below the “AAA” level–the level right below the major leagues–the median salary is no more than $1500 per month. Second Amended Class Action Complaint (“Complaint”), ¶ 16. This disparity has been termed by baseball economist Andrew Zimbalist as the “struggling apprentice predicament,” in which minor leaguers, like other aspirants in highly competitive entertainment fields such as art and music, often work long hours for low wages in the hopes of achieving wealth and success. Andrew Zimbalist, Baseball and Billions: A Probing Look Inside the Big Business of Our National Pastime, BasicBooks (1994), p. 119. The players claim that, between games, practice, and training, they work more than 50 hours per week during the five month season, and sometimes 70 hours, while receiving no overtime pay. Id. ¶ 9. Thus, assuming an average workweek of 50 hours per week, the hourly wage would be below the federal minimum wage at every level of minor league baseball below AAA. The Plaintiff class also claims that MLB and its teams have been on notice since at least 1995 and 1998, when the Cincinnati Reds had two FLSA cases decided against them, that they are not exempt from federal minimum wage laws. (Id. ¶ 14, citing Bridewell v. The Cincinnati Reds, 68 F.3d 136, 139 (6th Cir. 1995), cert. denied, 516 U.S. 1172 (1996); Bridewell v. The Cincinnati Reds, 155 F.3d 828, 829 (6th Cir. 1998).
Recently, long-time ESPN columnist and TV personality Bill Simmons, speaking of NFL Commissioner Roger Goodell, said that “[Goodell] is lying. I think that dude is lying. If you put him up on a lie detector test, that guy would fail.” Simmons was criticizing Goodell for his insistence that, prior to the NFL’s suspending Baltimore Ravens running back Ray Rice for only two games, the NFL had not viewed a video tape of Rice punching his then-fiancée, Janay Palmer. Simmons’s sharp criticisms of Goodell drew a stern response from ESPN; the sports-media giant slapped Simmons with a three week suspension for failing to live up to ESPN’s journalistic standards. Some have suggested that, in addition to undermining ESPN’s standards, Simmons could also be civilly liable for defaming Roger Goodell. Should Goodell file suit? Probably not, but I sure hope that he does.
We all should welcome a Goodell-initiated lawsuit against Simmons because, as the old adage goes, “The truth shall set you free.” A common defense to defamation claims is that the defendant was telling the truth. For Simmons, that means that—regardless of the merits of his defamation lawsuit, which are not discussed here—he would be able to assert that Goodell’s claim fails because Goodell did, in fact, lie. In other words, if Goodell lied about his knowledge of the Ray Rice video tape, then Bill Simmons would not liable for defamation.
To prove that Goodell is a liar, Simmons would be entitled to discovery, including the opportunity to pore over NFL documents, emails, and records. Simmons would have the right to depose Goodell and other NFL personnel with knowledge of the Ray Rice situation. Simmons would also be able to serve interrogatories, requests for admission, and subpoenas to third parties. The courts employ liberal rules regarding discovery and the open exchange of information, and surely, Simmons would push these liberal rules to their limits.
Most importantly, though, Simmons would be able to reveal to the public what he uncovered in discovery. In court filings and dispositive motions, which are presumptively open to the public, Simmons would be able to argue his version of the truth. It’s also safe to assume that Simmons would not present his evidence in an NFL-friendly PR statement, similar to those Goodell has already released. Thus, for the first time, the public would have access to the other side of the Goodell story, and thanks to the adversarial process, the public would be able to determine whether Roger Goodell lied (and as an aside, whether Bill Simmons is liable for defamation).
As Simmons’s comments about Goodell illustrate, much more than a few hurtful statements play into the decision to bring a defamation lawsuit. A Plaintiff who asserts a defamation claim should be prepared to open up his filing cabinets and email inboxes. Not only can the truth set the defendant free, but the evidence uncovered during discovery may be, and often is, less flattering than the initial defamatory statement. In Goodell’s case, that means he might want to keep his complaints about Simmons out of a courtroom, which unfortunately for us, means that we’ll never know if Goodell is, in fact, a liar.
We recently hosted representatives from the Office of Civil Rights (“OCR”) in both Dayton and Cincinnati. During their visits, they provided attendees insight into the forthcoming HIPAA audits as well as shed some light on what the OCR expects to see when it comes to investigating data breaches. We will be writing a series of blogs on various HIPAA topics in the coming months. And, with the rece nt rash of high profile data breaches, we decided to start with a quick primer of the basics of data breach under HIPAA. The HIPAA Breach Notification Rule (45 C.F.R. §164.414) requires covered entities and business associates to implement policies and procedure to address the timely reporting of breaches. Oh sure, “data breach is data breach,” you might say. But, as with any data breach, you first have to determine if you even have a “breach,” at least as defined by the law. HIPAA is no different.
So, let’s start with what a data breach is under HIPAA. Generally, a “breach” is an impermissible use or disclosure under the HIPAA Privacy Rule (“Privacy Rule”) that compromises the security or privacy of the PHI (“PHI”). Any impermissible use or disclosure of PHI is presumed to be a breach and requires some form of notice to be given unless the covered entity or business associate involved demonstrates that there is “a low probability that the PHI has been compromised.” The OCR has branded this low probability as “LoProCo.” It is also important to note that this breach rule applies to “unsecured PHI,” meaning PHI that has not been encrypted or otherwise rendered de-identified.
A breach is presumed to have occurred, unless the covered entity or business associate can make a LoProCo assessment by providing a risk assessment, which accounts for the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk has been mitigated for the PHI.
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the PHI has been compromised. As with any law, you might expect some exceptions to what is defined as a “breach” and whether notice is required.
- Unintentional PHI access, acquisition, or use. Unintentional access, collection or use of PHI by workforce member or person acting under the authority of a covered entity or business associate does not constitute a breach if such acquisition, access, or use was made in good faith and within the scope of authority. The information cannot be further used or disclosed in a manner not permitted by the Privacy Rule for this exception to apply.
- Inadvertent disclosure. An Inadvertent PHI disclosure is one made by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate. Or, maybe the information is provided to another organized health care arrangement in which the covered entity participates. The information cannot be further used or disclosed in a manner not permitted by the Privacy Rule for this exception to apply.
- Good faith that information not retained. An impermissible disclosure is also not a breach if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.
Again, this is just a primer on the basics of data breach under HIPAA. As always, each situation is different, and the time is now to review how your organization is prepared to assess and address a data breach. In truth, this process never stops, it just evolves. As we have said many times before, it is not IF you have a breach or incident, but WHEN. In our next blog, we will discuss the notice requirements pertaining to a breach under HIPAA.
Next Page »