Healthcare organizations are learning tough lessons that actions of employees can come back with serious consequences to the organization. When it comes to maintaining the privacy and security of patient data, no action comes without a consequence. While some actions are completely uncontrollable, that does not necessarily mean that liability cannot potentially flow to the employer. Additionally, HIPAA may only tell part of that story in that regard as state law will play a significant role in determining potential liability.
The impetus for the focus on potential employer liability is a recent decision from the Supreme Court of Virginia. The high-level summary is that the employer healthcare organization (Carilion) may be liable for the snooping of two employees into the record of a patient and the subsequent spreading around of information learned. The Virginia Supreme Court found that vicarious liability could exist based on the actions taken by the employees. Given the snooping premise, the ruling could realistically apply to any healthcare organization around the country. Snooping is a pervasive problem and one of the leading causes of data breaches, whether the so-called “small” breaches or in some instances the large, immediately reportable breaches as well. While any form of snooping should always be taken seriously, if more litigation results, then maybe it will garner more corrective action.
Diving into Carilion
Getting more into the details of Carilion, the factual background from the complaint is a patient visited a Carilion clinic for a particular issue, then presented months later at a different clinic for an unrelated issue. While in the waiting room, the patient started chatting with another individual who was acquainted with an employee at that clinic. The employee decided to take a look at the patient’s record, then called another Carilion employee to discuss the conversation and what was found by looking at the patient’s record. The second employee also looked in the patient’s record to confirm what the first employee stated. As would be expected, the whole chain of circumstances made it way back to the patient. The patient complained and initiated the lawsuit against the two employees and Carilion. With respect to Carilion, the patient alleged vicarious liability for the actions of the employees and direct liability of negligence per se under Virginia law for a purported HIPAA violation. Upon Cariliion’s motion, the trial court dismissed all of the claims.
The appellate decision from the Virginia Supreme Court, while premised upon Virginia law, offers organizations food for thought when it comes to potential liability based on employee actions. Taking the vicarious liability claim first, the analysis considered whether the doctrine of respondeat superior should hold Carilion liable for the actions of the two employees. For the doctrine to apply, the individuals would need to be employees and the harmful act would need to occur within the scope of employment. The first element is likely easy to determine in most circumstances and will not present a hurdle.
The second element of the act being within the scope of employment raises more complicated questions. What constitutes being within the scope of employment and when activity edges outside to being animated by personal motives. As pointed out in the Carilion case, that is a factual decision that would need to be made by a judge or jury. The need to make it a factual determination underscores the risks to organizations that can arise from snooping. While any form of snooping is arguably motivated by personal desires, that is not always readily apparent and can take many years and lots of money to dispute. From the HIPAA perspective, it highlights to need to have strong policies in place setting forth what constitutes appropriate access and also pushing for access controls in terms of who can access what data.
The negligence per se claim asserted that Carilion should be liable under Virginia law as a result of the purported HIPAA violation. The patient tried to claim that HIPAA established a standard of conduct and that not meeting that standard should constitute negligence. The Virginia Supreme Court denied that claim in requiring that an underlying common law duty be violated, which duty could not be created solely by reference to another law. The determination that HIPAA did not automatically set a standard of conduct is very much specific to Virginia. Each state can and may take a different approach in defining its own law in reference to standards set by federal law. The nuances established in each state need to be considered for the potential to result in liability. It is not sufficient to just look to HIPAA on the federal level and believe that everything will be ok.
Liability for PHI Removal
In another example, the University of Rochester Medical Center (“URMC”) was fined $15,000 by the New York Attorney General after a nurse practitioner took patient data to a new employer. The URMC does date back to 2015, but demonstrates that the covered entity bears ultimate responsibility for complying with HIPAA. In assessing the facts in the URMC case, it seems like attention focused on the departing/departed nurse practitioner asking for a patient list, which was provided in spreadsheet form. More often, when an employee leaves there is a clear acknowledgment that the employee is cut off from all of the employer’s patient information because HIPAA does not allow continued access. The seemingly voluntary transmission offers a plausible basis for fining an entity when the ultimate bad act was on the part of the departed employee. As such, the takeaway from the URMC case is to not be overly generous as misuse of information can come back to haunt the organization.
Ensuring the privacy and security of patient information needs to be a paramount concern at all times. While it is impossible to control all the actions of employees, organizations can and must take reasonable and appropriate action to secure information as much as possible. That means understanding obligations imposed by HIPAA and likely considering additional reasonable protections beyond HIPAA. Implementing solid policies and procedures can help educate both the organization and the workforce on requirements while providing an argument that any inappropriate action by an individual was not condoned by the organization. Ultimately, being conscientious and attentive to compliance considerations is a preferable approach.