A healthcare provider’s civil liability for an employee’s breach of patient confidentiality: Indiana’s evolving law on civil damages for breaches of medical privacy.
Although the federal Health Insurance Portability and Accountability Act (HIPAA) does not provide a private right of action, a plaintiff still may recover damages for the wrongful disclosure of his or her private health information under Indiana law.
A healthcare provider can be held vicariously liable for the wrongful disclosure by its employee when that employee obtains that information by the employee’s unauthorized access and during work hours. See Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), reh’g granted, 25 N.E.2d 748, trans. denied (wrongful disclosure of information resulted $1.8 million verdict). This may be true even if the employee accesses that information for purely personal reasons.
However, when an employee has come upon such information deliberately, hospitals and other healthcare providers have been able to limit their liability through employee confidentiality agreements. For example, in 2015, a case arose where a licensed nurse signed a confidentiality agreement when she applied for a position with a medical school. The agreement read in relevant part:
I will only access, use (read, add, change, or delete), or disclose information for which I have a business reason and am authorized to do so. At no time will I access, use, or disclose confidential or sensitive information to any person or third party for a personal, unauthorized, unethical, or illegal reason.
The nurse, on her first day of work, then accessed patient information of someone known to her and whom the nurse was not treating. Because of the presence of this agreement, the medical school was able to obtain summary judgment by showing the access and disclosure of patient information was made for personal reasons (and not business reasons) was, accordingly, wholly unauthorized. While the nurse could still be individually liable for the wrongful disclosure, her employer, was not vicariously liable for her actions. A similar situation and ruling occurred again in 2019.
However, limits to the “confidentiality agreement” defense were recently established in May, 2020 by the Indiana Court of Appeals. There, the employee had signed a similar confidentiality agreement. Unlike in the previous cases, the employee, a medical assistant charged with entering patient information, came upon the patient information in the normal course of her job as the patient was being treated. When she came upon the information, she used it for personal reasons. The Court of Appeals held essentially that because the employee simply happened upon the information while performing her authorized job duties, as opposed to seeking out the information, the confidentiality agreement could not bar vicarious liability. In so doing, the Court applied the well-established rule of vicarious employee liability: “[w]here an employee acts partially in self-interest but is still partially serving her employer’s interests, liability will attach.” (citations omitted).
Healthcare providers may limit their liability when an employee deliberately accesses and discloses patient information for personal reasons by using employee confidentiality agreements. Such agreements, however, will not insulate the provider from vicarious liability if the employee comes upon the information in an authorized fashion such as entering chart information or providing patient care.
This article is for information purposes only and is not intended to constitute legal advice.