And speaking of how much a health care facility can do about a rogue employee and whether they are responsible or liable, there is an update to a case I first noted here in 2011 involving a Guthrie Healthcare System clinic in Corning, New York. In that case, a nurse willfully disclosed a patient’s information on a sexually transmitted disease (STD) to his girlfriend (who was also her sister-in-law). She was fired for her actions, but the “John Doe” patient sued the clinic. His case was dismissed but he has appealed.
As reported yesterday in Newsday:
The legal issue is whether Guthrie, which operates health care facilities throughout New York’s Southern Tier, can be held liable for the nurse’s actions, which occurred in 2010.
John Doe filed the lawsuit in a lower federal court, which dismissed the case. But it’s now before the U.S. Court of Appeals for the 2nd Circuit, which has turned to the New York Court of Appeals to ask if under state law a medical corporation can be held liable for confidentiality breaches committed by an employee who isn’t a physician and has acted outside of his/her scope of employment.
This point has been litigated in other areas, and in most of the cases I’ve read, the entity was found to be not liable for bad actor employees, although there are exceptions such as the Walgreens verdict. Not surprisingly, Newsday reports that Guthrie has argued it can’t be held liable because the nurse acted outside of her duties.
The patient’s lawyers contend that if the clinic isn’t held responsible, it “leaves New Yorkers vulnerable to technology-enabled breaches because medical corporations will have little incentive to control them otherwise.” I think the same point could be made about all types of entities when it comes to willful insider data or privacy breaches.
It will be interesting to see what the New York courts do with this case.
Related Court Filings: