Mid-Atlantic Health Law TOPICS

Background hero atmospheric image for Employer Liability for Employees’ Confidentiality Breaches

Employer Liability for Employees’ Confidentiality Breaches

Respondeat superior is a Latin term that means “let the master answer.” In practical terms, that doctrine means holding an employer responsible for the wrongful acts its employees take within the scope of their employment.

Since the advent of social media, this has meant that health care employers need to be more concerned than ever with how employees handle confidential patient information.

A. Hayden v. Franciscan Alliance

A recent Indiana court decision, Hayden v. Franciscan Alliance, gives employers some cause for comfort by illuminating important steps that can be taken to shield health care entities from certain types of liability.

Leslie Hayden was seen at St. Francis Hospital’s radiology department for a broken arm. Two years later, Brook Collins, an employee in the hospital’s registrar’s office, sent a copy of Hayden’s confidential medical information to Jessica Henley. Henley, in turn, texted a screenshot of Hayden’s confidential medical records to Hayden’s boyfriend and posted the information on Facebook. The court noted that the three women had an “acrimonious relationship” going back to high school.

Hayden filed suit against the hospital asserting, among other legal theories, that the hospital was liable for Collins’ actions under the doctrine of respondeat superior. The court, however, rejected that claim holding that “[a]n employer is liable for an employee’s tortious acts under respondeat superior only if those acts occurred within the scope of employment.”

In general, an act is within the employee’s “scope of employment” where it furthers the employer’s business or it is incidental to authorized conduct, but employers are not responsible for acts done on the employee’s own initiative “with no intention to perform it as part of or incident to the service for which he is employed.”

In reaching its decision, the court placed heavy reliance on Collins having signed an agreement when she was hired stating that she could only use and access information in the hospital’s records to perform her job duties, and that inappropriate use or disclosure would result in discipline and/or legal action. Collins also received regular training in HIPAA compliance, patient privacy and appropriate access to, and use of, medical records.

Under these circumstances, the court found that Collins knew she was violating hospital policy in disclosing Hayden’s records, and that she acted outside the scope of her employment in doing so. As a result, the court found that the hospital was not liable under respondeat superior for Collins’ actions.

B. Implications

Maryland courts apply a similar test in determining liability under a respondeat superior theory, that is, whether the employee’s acts “were in furtherance of the employer’s business and were ‘authorized’ by the employer,” and have held that “[t]he foreseeability of the employee’s conduct is also an ‘important factor.’”

Although Hayden was a positive outcome for the hospital, respondeat superior claims continue to pose a challenge for employers because the decisions often turn on factual nuances. To reduce the chance of liability for an employee’s disclosure of confidential patient information, prudent health care employers should require each employee to read and sign a comprehensive patient confidentiality policy or agreement.

The policy should describe the limits of authorized access to patient records, prohibit unauthorized disclosures and specifically proscribe the posting of any protected information on social media or other third-party platforms. In addition, employees should be required to attend regular training on HIPAA and other patient privacy issues.

No measures are an absolute shield against potential liability for inappropriate disclosures. Indeed, even if an employer avoids respondeat superior liability, it may be exposed to other privacy and tort claims by adversely impacted patients, as well as HIPAA fines and other regulatory actions.

Taking active steps to educate employees about their duty to maintain confidentiality, however, is an important step in creating a successful defense. As the Hayden case demonstrates, having an effective confidentiality regime in place can mean the difference between success and liability.

Charles R. Bacharach
410-576-4169 • cbacharach@gfrlaw.com

A version of this article appeared in The Daily Record on September 15, 2020.