Miss D, a minor, was sexually assaulted by an adult male babysitter. The babysitter was arrested, tried, and convicted of sexual assault. During the trial, the defense counsel introduced evidence in the form of Miss D’s medical records to demonstrate that there was no physical evidence of rape. The attorney had not obtained the records via a subpoena or search warrant or other normal channels.
Instead, it was alleged that the medical records had been provided to the defense counsel by Ms B, the mother of the defendant, who was a nurse at the medical center where Miss D was treated following the assault. Ms B was not involved in the care of Miss D, nor did she have any other reason to access the girl’s medical records.
After the babysitter was convicted, Miss D’s lawyers filed an action in the trial court against Ms B and the medical center alleging causes of action for invasion of privacy, negligent hiring, negligence per se, breach of fiduciary duty, negligent training and supervision, and intentional infliction of emotional distress, among other things.
The medical center and Ms B consulted with their defense attorney who suggested that they file a motion to dismiss the case because Miss D’s claims were already covered by HIPAA and the HIPAA violations were under investigation by the government. A motion to dismiss was filed by the defense.
The trial court entered an order granting the hospital and Ms B’s request and dismissed Miss D’s claims in their entirety. The trial court concluded that the “plaintiff’s claims are merely an attempt to strap common law claims onto the back of prohibited behavior under the federal HIPAA statute.” The trial court found that HIPAA does not create a private cause of action, and HIPAA violations can only be acted on by the government. The court concluded that Miss D’s claims were preempted by HIPAA. Miss D appealed the dismissal of the case.
On appeal, the appellate court first looked at what the trial court’s rationale had been and noted that the lower court had set forth 2 bases for its order dismissing the case. First, the trial court concluded that “HIPAA does not create a civil cause of action under state or federal law.” Rather, it is the secretary of the US Department of Health and Human Services who has been charged with promulgating privacy regulations to fulfill the purpose of HIPAA. Federal law outlines the responsibility of a “covered entity” for an individual’s “protected health information.” In the event of a breach, administrative remedies and civil penalties are enforced. However, both state and federal courts have consistently held that there is no private cause of action, noted the appeals court.
The appellate court looked at the second reason the trial court had given for dismissing the case: “HIPAA preempts state law unless the state enacts more stringent measures.” The appellate court noted that federal law states that HIPAA takes precedence over state law, but that there are a few exceptions. One exception is if the state law relates to the privacy of individually identifiable health information and is more stringent than HIPAA’s rules, then the state law is to be used.
Miss D’s suit had asserted 3 state statutes in support of the argument, but the court noted that the statutes, to the extent they applied, were not more stringent than HIPAA rules and thus the state statutes could not be used as an independent basis to support her claims.
Finally, the appellate court addressed some additional arguments that Miss D’s suit made on appeal, specifically the claims against the medical center. Miss D’s suit alleged that the medical center was responsible for the acts of its employee via the theory of respondeat superior, the legal doctrine that states that an employer is responsible for the actions of its employees performed during the course of their employment. However, the appellate court noted that in the complaint, the suit repeatedly alleged that Ms B had procured and distributed the information not as part of her employment.” There can be no claim for respondeat superior liability where an employee engages in wrongful conduct while he or she is not acting to advance the cause of his or her employer,” wrote the court in its decision.
The court addressed the final argument that the medical center had negligently hired, trained, supervised, and retained Ms B. That claim could not survive being preempted by HIPAA, explained the court, because HIPAA addresses such issues as training for employees and utilization of policies and procedures to ensure HIPAA compliance.
“Although the disclosure herein was undoubtedly reprehensible,” wrote the appellate court in its decision, “it is not actionable as a matter of law.”
What Ms B did in this case was completely inappropriate, unprofessional, and wrong. One should never access records of someone who is not a patient and share them with anyone. While the case did not qualify as a legal matter, the medical center will undoubtedly face a HIPAA investigation.
While the court in this case would not allow Miss D to pursue a claim against Ms B, some cases have held that a common law patient privacy cause of action may arise from the same facts that cause a HIPAA violation.
Finally, an employer will not typically be held responsible for the acts of an employee who committed a crime or engaged in wrongful conduct such as what Ms B did when she accessed Miss D’s medical records and sent them to her son’s attorney. Although the result of this case does feel wrong, it is legally correct.
Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, New York.