In March 2013, the Second Circuit certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was acting outside the scope of her employment (see post).  In Doe v. Guthrie, decided last week, the New York Court of Appeals answered that question in the negative.

The plaintiff in Doe v. Guthrie went to a healthcare clinic to be treated for a sexually transmitted disease.  A nurse at the clinic was the sister-in-law of the plaintiff’s girlfriend, and sent six text messages to her about plaintiff’s medical condition.  The plaintiff learned of the messages and complained to the clinic, which fired the nurse.  The clinic advised plaintiff that his confidential information had been improperly disclosed, and that disciplinary action had been taken.

Plaintiff sued, alleging among other claims the common law breach of fiduciary duty to maintain the confidentiality of personal health information.  The Second Circuit, which determined that the nurse’s actions were neither foreseeable to defendants not within the scope of her employment, certified the question whether there was a cause of action for breach of fiduciary duty of confidentiality without respondeat superior liability.

The New York Court of Appeals stated that a medical corporation is generally not liable for an employee’s tort outside the scope of employment, and refused to impose absolute liability on a medical corporation for an employee’s dissemination of a patient’s confidential medical information.  “A medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.”

The Court counseled, however, that a medical corporation can still be liable for its own conduct, including negligent hiring or supervision, failing to establish adequate policies and procedures, and failing to properly train employees in safeguarding confidential information.  This potential liability incentivizes medical corporations to properly safeguard medical information.

The dissent would have recognized a claim against a medical corporation for acts of employees outside the scope of employment.  This view would have unfairly expanded the liability of medical providers, imposing absolute liability for any release of medical information.  The Court’s holding recognizes an appropriate balance, declining to find liability against a provider for employee acts outside the scope of employment, while at the same time recognizing that a provider can be liable for acts within the scope of employment as well as for the provider’s own negligence in maintaining confidential information.

While the medical provider in Doe v. Guthrie was not liable, the decision highlights the need for medical providers to have stringent standards governing the confidentiality of medical information, and to ensure that these standards are clearly communicated to all employees.