In a landmark ruling, the Vermont Supreme Court recently held that a patient had standing to sue both the hospital at which she was a patient and the employee who attended to her, for negligent disclosure of her personal health information to a third-party. Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Vermont law provide for a private cause of action for damages arising from a medical provider’s disclosure of information obtained during treatment.

In this case, the plaintiff claims that the emergency room nurse who cared for her lacerated arm, later informed a police officer that she was intoxicated, had driven to the hospital, and intended to drive home. Ultimately, the Court concluded that “no reasonable factfinder could determine the disclosure was for any purpose other than to mitigate the threat of imminent and serious harm to the plaintiff and the public”.

While this conclusion is not surprising, what is a bit surprising is the Court’s allowance for this private cause of action to proceed in the first place, given that neither HIPAA nor Vermont law allow for such. The Court reasoned that in recognizing this private cause of action on the basis of common law, other courts have correctly relied on the theory of a breach of duty of confidentiality, insofar as “health care providers enjoy a special fiduciary relationship with their patients” such that “recognition of the privilege is necessary to ensure that the bond remains.”

The Court highlighted further that as evidence of sound public policy underlying the recognition of liability for breach of the duty of confidentiality, courts have cited “(1) state physician licensing statutes, (2) evidentiary rules and privileged communication statutes which prohibit a physician from testifying in judicial proceedings; (3) common law principles of trust, and (4) the Hippocratic Oath and principles of medical ethics which proscribe the revelation of patient confidences.”

The Vermont court joins many other jurisdictions across the United States honoring a private right of action in the context of a breach of the duty of confidentiality, on the basis of public policy. This decision further signifies the heightened focus being placed on an individual’s right to privacy and security of their data. Employers across all industries, but particularly healthcare, are advised to revisit their approach to maintaining sensitive personal information confidentially and securely, as legislation and common law continues to strengthen in this area.