When does a medical clinic’s employee’s unauthorized texting of patient confidential health information result in liability to the clinic? The answer; it depends.

In Doe v. Guthrie Clinic, Ltd., the Second Circuit Court of Appeals dismissed a patient’s claim against a medical corporation for alleged breach of fiduciary duty based on a non-physician employee’s unauthorized disclosure of confidential medical information. It did so because the New York State Court of Appeals answered the following certified question in the negative: “Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment.”

In Doe, John Doe was treated at a clinic for a sexually transmitted disease (“STD”). A nurse, who knew Doe’s girlfriend, texted the girlfriend to let her know of Doe’s STD. Her texts were unrelated in any way to Doe’s treatment. After Doe learned of the texts, he complained to the clinic. The nurse was fired. The clinic acknowledged that Doe’s confidential information had been improperly accessed and disclosed and that appropriate disciplinary action had been taken. Doe then commenced a federal diversity action.

In analyzing the certified question presented, the State’s highest court declined to hold the clinic responsible under a claim of breach of fiduciary duty. Generally, a medical corporation might be vicariously liable for the wrongful acts of its employees, but under the doctrine of respondeat superior, liability extends only if those acts were committed in furtherance of the employer’s business. In Doe, the nurse’s conduct was not within the scope of her employment.

However, health care employers must still take caution. Despite the ruling in the case, the court did state that a medical corporation “may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures.” A health care practice that complies with the privacy and security regulations under HIPAA and applicable state law will be in a good position to avoid this kind of liability. Of course, inadequate policies addressing the protection of confidential patient information could expose the practice to damages in these kinds of suits, as well as penalties under HIPAA.