In the following case, a New York court showed why this doctrine is not always applicable.
In 2010, “John Doe” was being treated for a sexually transmitted disease at a private medical facility in New York. A nurse at the facility recognized Doe as the boyfriend of her sister-in-law. The nurse, not assigned to Doe’s care, checked Doe’s chart and learned of his diagnosis and treatment.
While Doe was waiting for his treatment, the nurse texted her sister-in-law and told her Doe was being treated for the STD. The manner in which she texted this information led the sister-in-law to believe the staff was making fun of his diagnosis and treatment. The sister-in-law immediately forwarded the messages to Doe.
Five days after his treatment, Doe met with the administrator of the facility and the nurse was fired. A letter was sent to Doe from the president and CEO of the facility informing Doe that an unauthorized disclosure of his confidential health information did occur, appropriate disciplinary action had been taken and steps put into place to prevent such a breach from happening in the future.
Doe then filed a lawsuit in federal court against the facility and other facilities that were associated through staffing and ownership, alleging several causes of action. They included breach of fiduciary duty to maintain the confidentiality of personal health information, breach of contract, negligent hiring and training of employees, and breach of duty to maintain patient confidentiality, according to records.
Numerous legal proceedings prior to this one resulted in a dismissal of all of Doe’s allegations except his claim of breach of fiduciary duty. This court was asked to certify if the breach of fiduciary duty claim could go forward.
The court reviewed the lower court rulings leading up to this one. It supported the Second Circuit Court’s ruling that the actions of the nurse were not foreseeable to the facility, nor was her behavior within the scope of her employment. Rather, as Doe’s complaint stated, her conduct was “motivated by purely personal reasons and ‘those reasons had nothing to do with [Doe’s] treatment and care.’”
Therefore, the lower court held that respondeat superior cannot be applied in this case. But that court was unsure if a distinct cause of action against the facility for a breach of its duty to maintain patient confidentiality can survive when respondeat superior liability is absent. This question was what this court had to determine.
The court opined that a medical facility’s duty of safekeeping a patient’s confidential medical information is “limited to those risks that are reasonably foreseeable and to actions within the scope of employment.”
Because the nurse’s misconduct did not meet these requirements, the facility cannot be held liable in this case or any other case in which respondeat superior is absent.
However, the court did point out that an employer could be held liable if evidence exists that the facility was negligent in hiring or supervising its employees or if it failed to establish adequate policies and procedures to safeguard confidential patient information. The lower court decisions in this case dismissed these allegations and this court did not further address them.
As you know all too well, the protection of patient confidentiality is an essential duty of all healthcare providers, including nurses.
What this case underscores about patient confidentiality is that there can be liability for a facility for its own duties to protect a patient’s medical information.
But if an employee who is obligated to protect patient medical information acted in a manner as this nurse did, the only potential liability is with the employee and not the employer.
Apparently Doe did not name the nurse in his lawsuit but elected to sue only the facilities that either owned or provided staff and other support to the facility. Perhaps Doe thought this was how he could obtain the largest amount of a monetary award. If so, the decision was unwise at best. Doe cannot now file the same suit against the nurse under the doctrine of res judicata, which bars the same parties from litigating a second lawsuit on the same claim or any other claim arising from the transaction or series of transactions that could have been — but were not — raised in the first suit (Black’s Law Dictionary, 1336).
Clearly, the nurse should have been an essential defendant in this case. Her unprofessional behavior could have, I believe, resulted in a judgment against her. Moreover, a complaint to the state board of nursing would more likely than not result in a discipline.
A breach of confidentiality can take many forms, including the one in this case. You can read more about patient confidentiality violations in Beltran-Aroca and others’ 2016 article, “Confidentiality Breaches in Clinical Practice: What Happens In Hospitals?” .
Although this was a New York case, it provides guidance in your duty to maintain patient confidentiality. Keep the following guidelines in mind at all times
1 — Never breach a patient’s confidential medical information.
2 — If you are unsure about sharing a patient’s information, seek guidance from your nurse manager.
3 — Know and follow your facility’s policies and procedures governing patient confidentiality without fail.
4 — Never seek information about a patient for whom you are not providing care.
5 — Know what your state nurse practice act requires of you in regard to maintaining patient confidentiality.
Editor’s note: Nancy Brent’s posts are designed for educational purposes only and are not to be taken as specific legal or other advice. Individuals who need advice on a specific incident or work situation should contact a nurse attorney or attorney in their state. Visit The American Association of Nurse Attorneys website to search its attorney referral database by state.
CE513: HIPAA and Confidentiality
(1 contact hr)
The federal Health Insurance Portability and Accountability Act was implemented in 1996 and has been revised since then. HIPAA can refer to guidelines that protect your ability to maintain your health insurance as you move from job to job or place to place (“portability”). HIPAA can also refer to efforts to simplify the administration of health insurance. These efforts include the creation of national standards for diagnostic terms, insurance forms and provider identification. Perhaps the most common use of the term for healthcare professionals, however, involves protecting the confidentiality and privacy of healthcare information. In this module, you will learn about parts of HIPAA, especially as they concern nursing and other health professionals and the protection of healthcare information. Because you play a key role in the production of healthcare information, you play a key role in its protection.
WEB334: Legal Landscape of Electronic Prior Authorization (ePA) and Its Effect on Patients and Prescribers
(1 contact hr)
The goal of this presentation is to discuss ePA mandates, points of access to ePA, the role of plans, and the effect of ePA solutions on patient care and outcomes. Upon completion of the webinar, participants will be able to explain the electronic prescription drug prior authorization process and recall named standards, identify states that have legislation surrounding electronic submission of PA requests, describe requirements of various PA legislation, identify access points to ePA solutions and the effect of ePA legislation on prior authorization process, discuss the current state of ePA availability and adoption re: different factors, and explain prior authorization workflow to patients/caregivers.
CE510: Document It Right: Would Your Charting Stand Up to Scrutiny?
(1 contact hr)
This module provides nurses with information about the value of laws and standards governing nursing documentation, legal basics for appropriate documentation, and strategies for documenting changes in a patient’s condition. It describes the legal definition of nursing negligence, characteristics of legally credible charting, and charting practices that can lead to legal problems.