Can a medical facility be liable for a deliberate breach of patient confidentiality by a low-level employee? The New York Court of Appeals, the state’s highest court, recently ruled that a private medical clinic could not be held liable for the disclosure of confidential medical information by a nurse found to have acted outside the scope of her employment.
The plaintiff in Doe v. Guthrie Clinic, Ltd. (2014 N.Y. Slip Op 00138) was being treated for a sexually transmitted disease (STD) at the defendant clinic. A nurse employed by the clinic recognized the patient as her sister-in-law’s boyfriend. After accessing his medical records and learning that he was being treated for the STD, the nurse texted her sister-in-law, who immediately forwarded the message to the plaintiff.
Although the nurse was promptly fired after the plaintiff complained to the clinic, he brought an action in federal court alleging, among other causes of action, a common-law breach of fiduciary duty to maintain the confidentiality of personal health information. The U.S. District Court for the Western District of New York dismissed the complaint in its entirety. On the plaintiff’s appeal from the dismissal of certain claims, the U.S. Court of Appeals for the 2nd Circuit certified to the New York Court of Appeals the issue of whether the plaintiff had a viable claim for breach of fiduciary duty. The dismissal of the remaining claims, including negligent hiring, training and supervision, was affirmed. In a separate opinion, the 2nd Circuit found the nurse’s actions were concededly undertaken for personal reasons having nothing to do with the plaintiff’s care and treatment, so the clinic could not be held vicariously liable pursuant to the doctrine of respondeat superior.
The State Court of Appeals rejected the plaintiff’s contention that absolute liability should be imposed on a medical corporation for an employee’s dissemination of confidential medical information, holding that a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment. The court explained that a medical corporation could potentially be held liable for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train employees to properly discharge their duties under those policies and procedures, and that “[t]hese potential claims provide the requisite incentive for medical providers to put in place appropriate safeguards to ensure protection of a patient’s confidential information.” One judge dissented and would have imposed strict liability for any disclosure by an employee, an approach that the majority rejected as “unnecessary and against precedent.”
In an unrelated action, the theft of an unencrypted flash drive containing electronic protected health information relating to the performance of MOHS surgery on approximately 2,200 patients led to an agreement on Dec. 24, 2013, whereby a Massachusetts dermatology practice agreed to pay $150,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential HIPAA violations resulting from the theft. The flash drive, which had apparently been stolen from a vehicle belonging to one of the staff members, was never recovered.
The case has been described as the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act. OCR also imposed a corrective plan requiring the practice to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as provide an implementation report to OCR.
Together, these two decisions demonstrate the potential liability that even small practices face for failing to have in place consistent and effective safeguards — including employee guidelines and training — to prevent the unauthorized disclosure of confidential medical information. In addition, the case involving the dermatology practice may signify an increased willingness on the part of OCR to prosecute HIPAA and HITECH violations.
Barbara D. Goldberg is a partner and head of the Appellate Department of Martin Clearwater & Bell LLP. For more information, please visit www.mcblaw.com.