In  last week’s decision in Doe v. Guthrie Clinic, Ltd. the Second Circuit Court of Appeals certified to the New York Court of Appeals the issue of whether a medical corporation may be liable for the unauthorized disclosure of medical information, when the employee responsible for the breach was not a physician and was acting outside the scope of her employment.

The plaintiff in Doe went to a health clinic to be treated for a sexually transmitted disease.  A nurse at the clinic was the sister-in-law of the plaintiff’s girlfriend, and sent six text messages to her about plaintiff’s medical condition.  The plaintiff learned of the messages and complained to the clinic, which fired the nurse.  The clinic advised plaintiff that his confidential information had been improperly disclosed, and that disciplinary action had been taken.

Plaintiff sued, alleging among other claims the common law breach of fiduciary duty to maintain the confidentiality of personal health information.  On appeal from the dismissal of the claim by the district court, the Second Circuit first recognized that a common law action against a physician who improperly discloses confidential medical information is well established in New York.  However, the Court also noted that corporate liability is not implicated by the ultra vires acts of employees.  The issue presented, therefore, was whether the common law claim can lie against the corporation when the responsible employee was acting outside the scope of her employment.

Scant Case Law

The Second Circuit found very little New York case law on the issue.  A Third Department case found an expanded corporate tort liability in such a situation, but without citation to statutory authority or case law and over a dissent by two justices.  A subsequent New York Court of Appeals case did not impose liability on a medical corporation for a sexual assault by a physician, but that case did not involve an alleged breach of fiduciary duty for unauthorized disclosure of medical information.

The Second Circuit found the issue proper for certification to New York’s highest court. In addition to the sparse state case law, the Court noted that the issue implicates significant New York state interests in the confidentiality of medical information and in the liability of New York-based medical providers.

Compliance Concerns

Regardless of how the New York Court of Appeals decides this issue, the Doe case again highlights the need for medical providers to have good policies governing the confidentiality of medical information, and to ensure that these policies are clearly communicated to all employees.  Providers may wish to review HIPAA, HITECH and State requirements with their legal counsel in order to comply with the often complex provisions of the laws and regulations.