Disclosure of Patient Records Outside Nurse’s Job Not Actionable

A man was being treated for a sexually transmitted disease (STD) at a private health care provider’s medical facility. A nurse employed by the provider recognized the man as the boyfriend of her sister-in-law. The nurse accessed the man's medical records and learned that he was being treated for the STD. While he was still awaiting treatment, she sent text messages to her sister-in-law informing her of the man's condition. The sister-in-law immediately forwarded the messages to the man.


Five days after his visit to the facility, the man called to complain of the nurse's behavior. He met with an administrator of the provider, and the nurse was fired. Thereafter, the President and CEO sent the man a letter confirming that there had been an unauthorized disclosure of his confidential health information, that appropriate disciplinary actions had been carried out, and that steps had been taken to prevent such a breach from occurring in the future.


The man sued the provider in federal court for common law breach of fiduciary duty to maintain the confidentiality of personal health information. The United States District Court for the Western District of New York dismissed the man's claim.


The United States Court of Appeals for the Second Circuit found that the nurse's actions were not foreseeable to the provider, nor were her actions taken within the scope of her employment. The court explained that in his complaint the man himself alleged that the nurse was motivated by purely personal reasons and those reasons had nothing to do with his treatment and care. As such, the court held, the nurse's actions could not be imputed to the provider on the basis of respondeat superior.


The court certified the question, however, whether the man may assert a specific and legally distinct cause of action against the provider, for breach of the fiduciary duty of confidentiality, even when respondeat superior liability is absent. Specifically, “Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?”


The Court of Appeals of New York answered the question in the negative. Specifically, the court held that a medical corporation's duty of safekeeping a patient's confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of the employment.


Generally, a hospital or medical corporation may be held vicariously liable for the wrongful acts of its employees. However, under the doctrine of respondeat superior, an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in furtherance of the employer's business and within the scope of employment. The court held a medical corporation's duty of safekeeping a patient's confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.


In cases where an injured plaintiff's cause of action fails because the employee is acting outside the scope of employment, a direct cause of action against the medical corporation for its own conduct, be it negligent hiring, supervision or other negligence may still be maintained. A medical corporation may be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures.


See: Doe v. Guthrie Clinic, Ltd., 2014 WL 66644 (N.Y., January 9, 2014) (not designated for publication).


See also Medical Law Perspectives, November 2012 Report: Liability for Electronic and Other Medical Record Information Disclosure