The New York Court of Appeals ruling that came down last week in Doe v. Guthrie Clinic , 2014 NY Slip Op 00138 (Court of Appeals 1/9/14), should prove helpful in evaluating the liability of medical corporations in cases involving the disclosure of confidential patient information where the breach of confidentiality is unrelated to the patient's treatment. In Guthrie Clinic, a nurse at the clinic treating the plaintiff for sexually transmitted disease recognized the plaintiff as the boyfriend of her sister-in-law, prompting the nurse to send her sister-in-law a series of text messages concerning the boyfriend's medical condition (i.e. his STD). The ruling came in response to the certification of a question to the New York Court of Appeals from the Second Circuit, which had earlier disposed of other of plaintiff's claims.
The key holding in the Court of Appeals decision is that liability did not extend to the medical corporation because its "duty of safekeeping a patient's confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment". The Court analogized the facts here to those in N.X. v. Cabrini Med. Ctr, 739 N.Y.S.2d 348, a 2002 case where the defendant hospital was not found strictly liable for a surgical resident's sexual assault on a sedated patient.
The Court reaffirmed the rule that "under the doctrine of respondeat superior, an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in the furtherance of the employer's business and within the scope of employment". Under both the facts of Cabrini and Guthrie, the tortious actions of the employee were not reasonably foeseeable.
In a decision handed down on March 25, 2013, the Second Circuit dismissed that part of plaintiff's claim seeking to hold the medical corporation liable under a theory of respondeat superior. The Second Circuit determined that the nurse's motive in disclosing confidential patient information was entirely personal. The Court certified to the New York Court of Appeals the question whether NY recognized a common law right of action for breach of the fiduciary duty of confidentiality against medical corporations under the facts presented.
The dissent to the majority opinion of the Court of Appeals argued that a patient's disclosure of confidential information is necessary for treatment and that the patient has no control over what happens to this information. The dissent argued further that, just as in the Cabrini case scenario, involving a sedated patient laying helplessly in her hospital bed, a medical corporation should be held to an independent duty to prevent an employee from acting outside the scope of his employment and harming the patient.
In response to the dissent, the majority rejoined that if the dissent fouind the majoritiy holding too "narrow", the "dissent's reasoning is flawed for the opposite reason; it is too broad." The Court was clearly unwilling to impose a strict liability standard for the release of confidential medical information.
The Court of Appeals decision is well-reasoned and correct, but issues over alleged breach of patient confidentiality are sure to be raised again. As the dissent noted, "technological advances have made it possible to collect and house patient data in ways accessible to a patient's doctor and other health care provider staff. Computers and cellular devices have transformed medical record keeping and health care service provision, making access to such data fast and easy." Confidential patient information is increasingly being transmitted via web and mobile devices--tablets and smartphones.
Issues concerning what measures are reasonably required to keep these networks secure will no doubt be raised in the future.