American Medical News
By — Posted April 22, 2013
Should a medical clinic be liable for the intentional disclosure of private health information by a staff member? The New York Court of Appeals will weigh this question in Doe v. Guthrie Clinic, a case in which a nurse texted a relative about a patient’s sexually transmitted disease.
Legal experts say the case is a reminder to physician practices and medical offices to educate employees properly about privacy regulations and ensure that they know the consequences of such breaches.
“The employer here clearly had no expectation that this woman was going to [reveal the health information], but at the same time, it absolutely should be acknowledged that this sort of thing happens,” said Brad M. Rostolsky, a Philadelphia-based health law attorney who specializes in compliance issues concerning federal and state privacy laws. “Clearly, covered entities across the board should really focus on stressing how important it is that work-force members do not inappropriately view records and, more importantly, that they do not communicate anything about those records.”
The case stems from a visit to Guthrie Clinic Steuben in Corning, N.Y., by an unnamed plaintiff for treatment of a sexually transmitted disease. A nurse at the clinic learned of his condition. She sent six text messages to the patient’s girlfriend, who was the nurse’s sister-in-law, about his condition, according to court records.
When the patient learned of the messages, he called the clinic to complain, and the clinic fired the nurse. The plaintiff, identified as John Doe in court documents, then sued the clinic and several affiliated entities, including Guthrie Medical Group P.C. and Guthrie Healthcare System. He alleged that the defendants breached their fiduciary duty to maintain his confidential health information, among other claims.
A trial court dismissed the claims, and the plaintiff appealed to the 2nd U.S. Circuit Court of Appeals. The 2nd Circuit on March 25 certified the question to the New York Court of Appeals, the highest court in the state. Specifically, the 2nd Circuit asked the court to decide whether plaintiffs can sue medical corporations for the disclosure of private information by a staff member if the employee is not a physician and acted outside the scope of his or her employment.
Under New York common law, an employer is liable for the actions of employees only if their conduct were foreseeable and if they acted within the scope of their employment. For instance, if a nurse was faxing medical records to a physician and accidently sent the documents to a third party, this would be “within the scope of her employment,” because she was faxing the documents during the course of doing her job. An employee’s conduct cannot be attributed to his or her employer if the actions were motivated solely by personal reasons.
The 2nd Circuit noted that the nurse’s actions in Doe appeared unforeseeable and beyond the scope of her employment. However, the plaintiff argues that medical clinics and corporations are separately and strictly liable under New York law for breaching their fiduciary duty to keep personal health information confidential. “Strict liability” refers to absolute legal responsibility for an injury that can be imposed on a defendant without proof of fault.
An attorney for Guthrie Clinic declined to comment.
The case could have significant ramifications for future confidentiality cases in New York and elsewhere, said T. Andrew Brown, the plaintiff’s attorney.
“This has the potential to be one of the biggest privacy rights decisions by the U.S. 2nd Circuit as well as the New York Court of Appeals,” he said. “If the court does find there is an actionable right directly against a medical facility for the disclosure of medical information by a nonphysician, that would have huge implications throughout New York state and throughout the country.”
New York’s privacy statutes are not unique. Most states have similar common laws about the duty of health professionals to protect private health information, said Joshua Cohen, a founding partner at DeCorato Cohen Sheehan & Federico LLP in New York City and president of the New York State Medical Defense Bar Assn.
All states also must comply with the regulations set forth in the Health Insurance Portability and Accountability Act. However, plaintiffs cannot file a civil claim under HIPAA, while state privacy laws allow for causes of action.
A ruling in favor of the plaintiff could make it more challenging for defendants such as clinics and physician offices to fight similar suits, said Mark Horgan, senior vice president for claims at CRICO, a professional medical liability insurer in Massachusetts.
“It [would] allow these kinds of cases to be brought without really even the need to prove anything other than the disclosure and employment status,” he said. “In a negligence case, you have to prove that a mistake was made. In a strict liability case, all you have to show is that there was an injury and an employment relationship between an employee and employer. What it would do is basically lead to a lot of settlements, because those cases would be very difficult to defend.”
A decision for the plaintiff also could prompt plaintiff attorneys in other states to argue for similar interpretations of their state privacy laws, he said.
“Your typical individual like a nurse doesn’t have substantial assets, and most insurance companies will not cover deliberate wrongful acts,” Horgan said. “What the plaintiff is looking for is somebody that they can sue” for greater compensation.
To avoid confidentiality breaches by staff members, practices should implement strict written policies and procedures about what employees should not disclose or discuss, said Frank B. O’Neil, senior vice president and chief communications officer for the national medical liability carrier ProAssurance Corp. Nurses and other clinicians often are not aware that their behavior could lead to a potential breach, he said. For instance, O’Neil was recently visiting a doctor’s office when he overheard two nurses openly discussing another patient’s medical history.
“I told the doctor, ‘This is a poster child for a HIPAA violation,’ ” he said.
ProAssurance recommends that all employees sign a confidentiality agreement as a condition of employment and again at the time of their performance evaluations. Supervisors should actively monitor for staff violations and discipline violators in a consistent manner.
Unfortunately, it often takes a case such as Doe to highlight the risks of employee privacy breaches and to encourage proactive precautions, Rostolsky said.
“Ultimately, it’s a very strong reminder that covered entities [are] being given the patient’s most sensitive information and they need to [protect] that sensitive information,” he said. “It needs to be part of the culture of covered entities.”