There’s a follow-up to a breach lawsuit involving an employee of Guthrie Health System who shared a patients’ sensitive medical information with a third party – and privacy advocates will not be happy.
As I first noted in March 2011, “John Doe” sued Guthrie Health System after a nurse sent embarrassing text messages about his sexually transmitted disease to his girlfriend.
In a separate opinion (710 F3d 492 [2d Cir 2013]), the Second Circuit found that the nurse’s actions were not foreseeable to defendants, nor were her actions taken within the scope of her employment (id. at 495). The court explained that in his complaint Doe himself alleged that the nurse was motivated by purely personal reasons and “those reasons had ‘nothing to do with [Doe’s] treatment and care'” (id., citing Doe complaint at ¶ 25). “As such,” the court held, the nurse’s “actions cannot be imputed to the defendants on the basis of respondeat superior” (id. at 496). The court certified the question to this Court, however, whether Doe may assert a specific and legally distinct cause of action against defendant, for breach of the fiduciary duty of confidentiality, even when respondeat superior liability is absent (id. at 498).
So before the NY Court of Appeals was this one question:
“Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?”
Today, in a 6-1 opinion, the court answered that question in the negative, holding that
a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.
In cases where an injured plaintiff’s cause of action fails because the employee is acting outside the scope of employment, a direct cause of action against the medical corporation for its own conduct, be it negligent hiring, supervision or other negligence may still be maintained (see Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 934 ). A medical corporation may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures. These potential claims provide the requisite incentive for medical providers to put in place appropriate safeguards to ensure protection of a patient’s confidential information. Those causes of action in the present case have already been resolved by the federal courts and we therefore do not address them.
In her dissent, Judge Rivera notes:
The majority’s narrow conception of a medical corporation’s duty undermines New York’s public policy to protect the confidentiality of patients’ medical records (see Public Health Law § 2803-c   [f]). The ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality. A cause of action directly against a medical corporation, unhampered by questions as to whether an employee’s conduct occurred within the scope of employment, ensures the fullest protections for patients and best addresses the current realities of medical service delivery.
A hospital should owe a duty to keep a patient’s health information confidential, and a hospital should be directly liable for its own failure to prevent breaches of confidentiality by employees who act outside the scope of their employment.
Not surprisingly, I agree with Judge Rivera.
[Added link to Second Circuit ruling, thanks to Mark Eckenwiler]