Author: Emilee Daniel

Can East Palestine, OH Seek Derailment Relief Through a Medical Monitoring Program?

On February 3rd, 2023, a Norfolk Southern train derailed in East Palestine, Ohio. The village rests on the Ohio-Pennsylvania border. Investigators believe that a broken axle caused approximately fifty of the 100 car train to derail. Five derailed cars carried vinyl chloride. Over the following days, the vinyl chloride was released from the cars in a controlled burn, unleashing hydrogen chloride and phosgene gases into the air. Although residents were originally evacuated, they were soon permitted to return only a few days later.

The Environmental Protection Agency classifies vinyl chloride (VC), a chemical commonly used to manufacture PVC piping, as a Known Human Carcinogen. The chemical’s Category A classification is based on human occupational studies and animal testing. The tests and studies show that VC is hazardous if inhaled or absorbed orally or dermally. Nearly all cases of liver angiosarcomas have been linked to occupational exposure to VC. Furthermore, VC has been linked to liver, brain, lung, and lymphopoietic system cancers. Highly concentrated exposures can also cause headaches, drowsiness, and dizziness.

As of February 15th, the Ohio Environmental Protection Agency was testing the wells that supply drinking water to the area and maintained that they were not contaminated. However, residents of the area have reported headaches, sudden death of domesticated pets, and lifeless fish in nearby streams.

Undoubtedly, this disaster has major health and environmental implications, but developments in American tort law may burden Ohioans who seek relief. As of February 10th, four lawsuits had been filed, three in the United States District Court for the Northern District of Ohio and one in the Court of Common Pleas Columbiana County, Ohio. Two of the federal suits include a count of strict liability, alleging that transporting a known carcinogen is an ultrahazardous activity. The state suit partially relies on res ipsa loquitur. Res ipsa loquitur is a torts doctrine that allows plaintiffs to argue for liability based on the assumption that without the defendant’s negligence the event that occurred would not have ordinarily happened. 

All four suits have two things in common: they are petitioning for class action status and seek for Norfolk Southern to fund a medical monitoring program (MMP) for individuals within a certain radius of the detrainment and controlled burn. MMPs provide ongoing medical screening and care to populations who are not currently injured but will likely develop health issues caused by a negligent act. American tort law’s view of MMPs is being cautiously evaluated. MMPs would provide relief to those exposed to hazards that may take years to medically manifest but would impose liability without presence of a current physical injury, violating a tenant of tort law. The Supreme Court has previously rejected a MMP to relieve railroad workers exposed to asbestos because it was concerned about overextending liability. The American Legal Institute (ALI) is considering the topic while drafting its Restatement (Third) of Torts: Concluding Provisions.

As of October 2020, eleven states legally recognized MMPs. Pennsylvania and West Virginia not only allow MMPs but recognize them as a cause of action. These two states border Ohio and also sit within the Appalachian Mountains. Although MMPs present relatively novel considerations in American tort law, such a program may be the most just course of action when a railroad company experienced in derailments exposes an entire town to a known carcinogen due to a broken train axle.

Accountability for Privacy Violations in Mobile Health Apps: Flo Health and the Health Breach Notification Rule

Digital privacy concerns were raised once again following the overturn of Roe v. Wade in June 2022. These concerns were exacerbated when messages sent via Facebook Messenger discussing a medication-induced abortion were the basis for further search warrants that were used to prosecute a mother and daughter in Nebraska. As exemplified in the Nebraska case, tech companies must comply with search warrants issued by courts, sewing privacy concerns particularly in period tracking app users. Following the overturn of Roe v. Wade, menstruating people were encouraged to delete period tracking apps all together, but data experts warned that deleting the apps alone may not protect users.

Privacy concerns are not new to period tracking apps. Flo Health is a period tracking app, used by more than 100 million users, with a history of privacy concerns. From 2016 to 2019, Flo Health promised users to keep their health data private yet released identifiable health information to third party applications, including Facebook’s analytics division. In 2020, the Federal Trade Commission (FTC) filed a complaint against Flo Health alleging that the app had misled users about how their health information was stored and used. Flo had been sharing user data with third party firms under app event names such as “R_Pregancy_Week_Chosen,” explicitly communicating their health information. Flo Health reached a settlement with the FTC in 2021. Flo Health is just one example of how mobile apps struggle with privacy compliance.

While the Health Insurance Portability and Accountability Act (“HIPAA”) applies to many institutions who store personal health records, its application to mobile health apps, such as Flo Health, can be complicated.  The FTC has released an interactive tool for mobile health app developers to determine if certain regulations apply to their app. One such regulation is the Health Breach Notification Rule (“HBN”). The HBN was enacted in 2009, but, as of 2021, the FTC has never brought  an action to enforce it.  The HBN was enacted to ensure accountability when entities not covered by HIPAA compromise consumers’ sensitive health information.  The regulation requires subjected entities to inform users and the FTC of any breach of security of unsecured personal health records. A breach of security is considered any acquisition of identifiable health records that is not authorized by the consumer.

While the FTC did not charge Flo Health with a violation of HBN, two Commissioners released a joint statement arguing that its application was warranted in the case. Commissioners Rohit Chopra and Rebecca Kelly Slaughter argue that Flo Health shared user data with Facebook and other entitles, without obtaining the user’s authorization to do so. The Commissioners seek enforcement of the HBN as a way to, “induce firms to take greater care in collecting and monetizing our most sensitive information.” The FTC has also published further guidance for mobile health app developers that store sensitive health information. The guidance includes minimizing data collected, storing it in a de-identified form, and limiting operating systems’ access to the data.

Despite this guidance, Flo Health, and apps like it, still store detailed, identifiable information about their users, including personal notes left by the user. However some progress has been made as Flo Health released an “anonymous mode” after the overturn of Roe v. Wade in June, allowing users remove their name, email address, and technical identifiers. However, a user’s privacy and control over their health information should not be an afterthought only brought about by changes in case law, especially when regulations already exist to hold entities accountable for releasing sensitive information without the user’s authorization.