Can an employer be held liable for an employee’s HIPAA violation even if the employee engaged in an unauthorized act that was motivated by the employee’s own personal interest? In the recent decision of SoderVick v. Parkview Health System, Inc., No. 19A-CT-2671 (May 15, 2020), the Court of Appeals of Indiana opened up that possibility when it reversed a trial court’s award of summary judgment in favor of an employer, ruling that the question of whether the employee was acting within the scope of her employment was a question of fact that should be left for a jury to decide.
In SoderVick, the plaintiff came to the defendant, Parkview’s, office for an OB/GYN appointment. A Parkview employee had the responsibility that day of inputting patient information into Parkview’s electronic health record system. In connection with her position, this employee had received training from Parkview regarding patient privacy issues and HIPAA compliance. She also signed a “Confidentiality Agreement and Acknowledgement Regarding Access to Patient Information.” Among other things, that Agreement indicated that the release of patient information could be a violation of HIPAA and Parkview’s policies, and that an employee could be immediately terminated if the employee released such information.
When the plaintiff came in for her appointment, she handed the Parkview employee a filled-out patient information sheet. The employee then spent about one-minute inputting that information onto Parkview’s electronic health record. The employee recognized the plaintiff’s name as someone who had liked a photo of the employee’s husband on his Facebook account. Suspecting that the plaintiff might have had, or was then having, an affair with her husband, the employee sent some texts to her husband relating to the fact the plaintiff was a Parkview patient. Her texts included information from the patient chart that the employee had created from the patient’s information sheet, such as the patient’s name, her position as a dispatcher, and the underlying reasons for the plaintiff’s visit to the OB/Gyn. Even though such information was not included on the chart, the employee also texted that the plaintiff was HIV-positive and had had more than fifty sexual partners. While using the husband’s phone, the husband’s sister saw the texts. The sister then reported the texts to Parkview. Upon receipt of the sister’s report, Parkview initiated an investigation into the employee’s conduct and ultimately terminated the employee. As part of that investigation, Parkview notified the plaintiff of the disclosure of her protected health information.
Upon notification from Parkview, the plaintiff sued Parkview seeking to hold Parkview liable for the employee’s conduct on respondeat superior grounds (employer’s liability for acts of its employees). The trial court entered summary judgment in Parkview’s favor, finding that the employee’s conduct fell outside the scope of her employment, and that Parkview could not be held vicariously liable for such conduct. The appellate court reversed this ruling. The appellate court focused on one of the two alternative prongs for a valid respondeat superior claim: whether the employee’s conduct was incidental to the employee’s job duties. In this regard, the court identified three factors that could be considered in determining whether a wrongful act was incidental to the employee’s job duties: (1) whether the wrongful act was of the same general nature as her authorized job duties; (2) whether the wrongful act was intermingled with authorized job duties; and (3) whether the employment provided the opportunity or means by which the employee could commit the wrongful act. The court then held that if some of the employee’s actions were authorized, then the question of whether the unauthorized acts were within the scope of employment had to be one for the jury to decide, precluding an award of summary judgment.
Applying these factors to the facts at issue, the court noted that the employee’s documented job duties included the implementation of the electronic medical records. The court also noted that it was while she was performing her authorized duties that the employee accessed the plaintiff’s records and proceeded to text the information to her husband. Hence, in the court’s mind, the employee’s misconduct “intermingled” with her ordinary, authorized job duties. Because the employee was using Parkview’s equipment when she inputted the plaintiff’s private information, the court also concluded that her employment at Parkview enabled the employee to commit the misconduct in question.
There was no dispute in the case that the employee’s acts violated Parkview’s specific policies regarding confidential patient information. But, according to the court, Parkview may be held vicariously liable for the employee’s actions “to the extent it was ‘incidental’ to authorized conduct, notwithstanding her subjective intent in disclosing the information or the fact that her conduct was directly counter to Parkview’s rules and policies.” Moreover, at least for summary judgment purposes, the court found irrelevant the employee’s clear act of transmitting the plaintiff’s information for her own personal reasons. Instead, in the court’s mind, the issue of whether the employee’s acts were incidental to her job duties was solely an issue for the jury, not the court, to decide.
In issuing its ruling, the court did not enter judgment in the plaintiff’s favor. Rather, it simply remanded the matter for a jury trial on the issue of whether the employee’s acts were incidental to her job duties. However, by construing the “incidental duties” in the broad manner that it did, the court gave notice to Indiana employers that it will be nearly impossible for them get summary judgment in HIPAA cases brought on respondeat superior grounds. The likely result, of course, is that even in cases where the employee violates HIPAA out of his or her own self-interest, an employer is either going to have to settle the case or go through the costly process of taking the case to trial.