John Doe is out-of-luck for a romantic Valentine’s Day this year. He recently discovered that his protected health information regarding treatment for a sexually transmitted disease (“STD”) was sent to his girlfriend. While being treated for an STD at a New York clinic, John Doe was recognized by one of the clinic’s nurses. Unfortunately for John Doe, the nurse knew that he was the boyfriend of her sister-in-law. She discovered that he was being treated for an STD, and she contacted her sister-in-law via text message to inform her of his medical condition. John Doe learned of the nurse’s text messages disclosing his STD when his girlfriend forwarded them directly to him while he was still at the clinic. The clinic fired the nurse for breaching John Doe’s confidential information. However, the New York Court of Appeals recently found that the clinic is not liable for the nurse’s breach of confidential information.
According to the Court’s majority opinion, “an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in furtherance of the employer’s business and within the scope of employment.” However, in this case, the Court found that the nurse’s actions were not within the scope of her employment. In reaching its decision, the Court stated that “a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable . . . .” To find the clinic liable would be against precedent, the Court held.
The Court’s dissenting opinion argued that the clinic should be held liable, stating that the majority’s decision “undermines New York’s public policy to protect the confidentiality of patients’ medical records” and that the “ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality.”
The Court’s decision comes at a time of heightened scrutiny of the security of protected health information. While the clinic was not found liable in this case, there could very well be instances where a court might not be so generous. Health care entities need to implement and enforce proper policies and training regarding the importance of securing protected health information; otherwise John Doe’s heartbreak could be end up being the health care entity’s compliance problem.
The Health Law Gurus™ will continue to follow cases relating to breaches of protected health information.