Vicarious Liability in HIPAA Violation Cases

Home/For Patients/Vicarious Liability in HIPAA Violation Cases

Vicarious Liability in HIPAA Violation Cases

Cleveland HIPAA Violation Lawyer

In Ohio, a patient’s right to privacy of their medical records emanates from both federal law and state common law.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides the essential federal regulatory framework for protection of patients’ protected healthcare information.  OhioHealth Corp. v. Ryan (2012), 2012-Ohio-60, 10AP-937.  However, HIPAA laws do not include a private right of action, so claims must proceed pursuant to Ohio common law claim for violation of the right to privacy.  Many people still wrongly refer to these cases as “HIPAA violation” cases.

The basic elements of a claim for violation of the right to privacy is set forth in Biddle vs. Warren Gen. Hosp. (1999), 86 Ohio St.3d 395.  The syllabus in Biddle provides as follows:  “In Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or a hospital has learned within a physician-patient relationship.”  This rule has been applied to other healthcare providers, such as hospital employees.

As a Cleveland HIPAA violation lawyer, I see that, in defending these claims, hospitals assert that employees who snoop into patient’s records out of curiosity or to gain information on a rival to use against them are acting outside the scope of their employment.  In most cases, when an employee causes injury to another, the employer is held liable for the employee’s actions.  However, at least one court, in Sheldon v. Kettering Health Network,  has agreed that a hospital employee’s snooping into a patient’s records is not within the course and scope of employment as a matter of law.  This is simply unjust. Worse, this decision ignores the regulatory framework established by HIPAA laws.

Pursuant to HIPAA, the Department of Health and Human Services has promulgated regulations for hospitals that places the duty to protect patients’ protected healthcare information squarely on the hospital.  OhioHealth Corp., supra.   In this regard, HIPAA’s regulatory requirements, set forth in 45 CFR §§160 and 164, include the following requirements for protection of patient’s electronically-stored health information:

Covered entities and business associates must do the following:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required ….
  4. Ensure compliance with this subpart by its workforce.

45 CFR §164.306(a). 

In addition to these general requirements, the regulatory framework includes specific requirements for training the covered entities’ workforce not to snoop, but also the implementation of “physical safeguards” and “technical safeguards” that prevent such unauthorized access to patients’ protected health information.  45 CFR §164.310(a)(1) sets forth the requirements for physical safeguards.  These mandatory requirements include the implementation of “policies and procedures to limit physical access to its electronic information systems,” “policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access …,” and “procedures to control and validate a person’s access to facilities based on their role or function ….”

The technical safeguard requirements are set forth at 45 CFR § 164.312.  They include the implementation of “technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights ….”

When a hospital employee snoops into a patient’s records, the patient’s right to privacy of her protected healthcare information is violated in three separate ways.  First, the hospital violates the right to privacy by disclosing the patient’s protected healthcare information to all of its employees having access credentials, if the hospitals failed to implement a physical or technical software-based “firewall” to prevent access by its employees who have no authority or business reason for doing so.  In failing to maintain these safeguards, the hospital failed to “[e]nsure the confidentiality… of all electronic protected health information” and failed to “[p]rotect against any reasonably anticipated… disclosures of such information that are not permitted…,” as required by 45 CFR § 164.306(a).  By disclosing patient’s electronic medical records to all hospital employees with access to the electronic medical record system, including unauthorized employees, the hospital directly violates HIPAA laws and the patient’s common law right to privacy.

Hospitals argue that their employees must have access to all CCF patient records at all times due to potential emergencies.  However, HIPAA’s technical safeguard requirements include a requirement that the covered entity “[e]stablish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”  45 CFR § 164.312.  So, the hospital must prove that access was obtained by operation of an emergency protocol.

The second way in which hospitals may violate a patient’s right to privacy is by being held vicariously liable for the actions of its employee who accessed the patient’s protected healthcare information without authorization or a business reason for doing so in the course and scope of her employment. Ohio law is clear that “an employee’s wrongful act, even if it is unnecessary, unjustified, excessive, or improper, does not automatically take such act manifestly outside the scope of employment.” Siegel v. State, 2015-Ohio-441, 28 N.E.3d 612, ¶ 31 (10th Dist.), also see Osborne v. Lyles (1992), 63 Ohio St.3d 326, 330 (“the willful and malicious character of an employee’s act does not always, as a matter of law, remove the act from the scope of employment.”).

The Supreme Court of Ohio discussed the boundaries of the doctrine of respondeat superior in Osborne v. Lyles (1992), 63 Ohio St.3d 326.  In Osborne, the Court held that summary judgment was not proper on the issue of whether a municipality could be held vicarious liable for an assault committed by one of its police officers even though the officer was off duty at the time of the assault.  The Court confirmed that “it is commonly recognized that whether an employee is acting within the scope of his employment is a question of fact to be decided by the jury.”  Id. at 330 (citations omitted).

The Osborne Court set forth general principles of respondeat superior as follows:

The doctrine of respondeat superior is expressed in the Restatement of the Law 2d, Agency (1958) 481, Section 219(1), which states as follows: “A master is subject to liability for the torts of his servants committed while acting in the scope of their employment.” Ohio law provides, “[i]t is well-established that in order for an employer to be liable under the doctrine of respondeat superior, the tort of the employee must be committed within the scope of employment.  Moreover, where the tort is intentional, * * * the behavior giving rise to the tort must be ‘calculated to facilitate or promote the business for which the servant was employed * * *.’ ” (Citations omitted.) Byrd v. Faber (1991), 57 Ohio St.3d 56, 58, 565 N.E.2d 584, 587.


The willful and malicious character of an employee’s act does not always, as a matter of law, remove the act from the scope of employment. Stranahan Bros. Catering Co. v. Coit (1896), 55 Ohio St. 398, 410, 45 N.E. 634, 637; Wiebold Studio, Inc. v. Old World Restorations, Inc. (1985), 19 Ohio App.3d 246, 19 OBR 398, 484 N.E.2d 280. “When an employee diverts from the straight and narrow performance of his task, the diversion is not an abandonment of his responsibility and service to his employer unless his act is so divergent that its very character severs the relationship of employer and employee. * * * ” Id. at 250, 19 OBR at 403, 484 N.E.2d at 287, citing Amstutz v. Prudential Ins. Co. of America (1940), 136 Ohio St. 404, 16 O.O. 572, 26 N.E.2d 454. See, also, Thomas v. Ohio Dept. of Rehab. & Corr. (1988), 48 Ohio App.3d 86, 548 N.E.2d 991, wherein the court held that a corrections officer’s unjustified use of force against an inmate does not automatically take his actions outside the scope of his employment, and the state may be held liable under the theory of respondeat superior.


The Osborne Court clarified that summary judgment is only proper if the employee’s acts “in no way” facilitate or promote the employer’s business.  Id.  An employee’s mere “diversion” from the “straight and narrow performance” of the job does not constitute an “abandonment of his responsibility and service to his employer.” Sanders v. Fridd, 2013-Ohio-4338, 998 N.E.2d 526, ¶ 20 (10th Dist.).  Rather, an act is only outside the course and scope when it is “is so divergent that its very character severs the relationship of employer and employee.”  Id.

In HIPAA violation cases, the snooping employee was vested with access to patients’ protected healthcare information solely by virtue of their employment. Since accessing patients’ records was well within the scope of her duties, accessing Ms. Loescher’s record was not “so divergent in its very character” from their normal work duties, particularly since their work duties required that the employee be supplied with “the necessary instrumentalities,” a computer terminal and access credentials to all patient information, to carry out his/her job duties.  See Thomas v. Ohio Dept. of Rehab. & Corr. (1988), 48 Ohio App.3d 86, 89-90.

If reasonable minds can conclude that the employee’s conduct provided any “benefit or furtherance of the [employer’s] business,” summary judgment is improper. McKee v. McCann, 2017-Ohio-7181, 95 N.E.3d 1079, ¶ 54 (8th Dist.).  Because this analysis requires a weighing of the evidence, the Ohio Supreme Court has stated that whether an employee was “acting within the scope of his employment is typically a question to be decided by the trier of fact.”  See Osborne, 63 Ohio St.3d at 330.

The Eighth District has ruled that summary judgment should be denied under similar circumstances.  In Ousman v. Dairy Mart Stores, 8th Dist. Cuyahoga No. 67237, 1994 Ohio App. LEXIS 4726, at *2 (Oct. 20, 1994), the plaintiff alleged that, while standing at the checkout counter of a convenience store, he asked to purchase a pack of cigarettes.  At that time, a store employee struck him in the face with a pistol and proceeded to beat him.  The Court found a question of fact was established concerning whether the employee’s actions were done within the course and scope of his employment.  Id. at  *3 – 4.  Ousman makes clear that even when an employee utilizes reprehensible or criminal tactics to carry out his job duties, he or she does not necessarily depart from the course and scope of the employment relationship.

Similarly, the Tenth District Court of Appeals affirmed a judgment against the employer of a prison corrections officer who struck an inmate in the nose with his weapon.  Despite the fact that the prison determined that the officer’s use of force was unjustified (the prisoner was standing with his back against a wall and his hands in his pockets), the Court found the action was within the scope of employment.  Thomas v. Ohio Dept. of Rehab. & Correction (1988), 48 Ohio App.3d 86, 89-90.  In making this determination, the Court found that the employer both “empowered” the officer with the authority to use force in limited circumstances and provided him the weapon that he used. Id.  Similarly, as in Thomas, a jury could reasonably conclude that a hospital employee was empowered by his/her employer to access the electronic medical record through use of access credentials, a work computer and by the hospital’s failure to implement safeguards to prevent unauthorized access to patients’ records.

Hospitals will rely on Sheldon v. Kettering Health Network for the proposition that unauthorized access of a patient’s records by an employee is inherently outside the scope of the employee’s employment.  This is a single, unpublished appellate opinion that is not controlling herein.  Further, the fact pattern in Sheldon is unclear.  In that case, the employee who allegedly accessed the plaintiff’s protected health information, without authorization or a business reason to do so, is identified simply as a “high level administrator.”  It is unclear whether his job duties require access to all patient records or whether his job involves patient care at all.  Indeed, it was reported that the administrator had to create “one or more fictitious names” to access the plaintiff’s information.  In most HIPAA lawsuits, the hospital employee logs in using valid credentials supplied by the hospital on a computer provided by the hospital.

Finally, the Sheldon Court recognized a divergence of opinion on the issue in citing Walgreen Co. v. Hinchy (Ind.Ct.App. 2014), 21 N.E.3d 99.  The Sheldon Court summarized Walgreen Co. v. Hinchy as follows:

In Walgreen Co. vs. Hinchy, 21 N.E.2d 99 (Ind.Ct.App.2014), Audra Withers was a Walgreen’s pharmacist who was involved in a relationship with plaintiff Hinchy’s former boyfriend.  Withers accessed Hinchy’s **669 prescription profile to find any information about plaintiff’s potential STD.  The boyfriend, to whom the accessed private information was apparently disclosed, contacted Hinchy a few days later claiming he had a printout of her drug information.  A jury awarded $1.8 million in damages and determined Walgreen’s and Withers were 80 percent responsible.  Upon review, the court of appeals cited portions of the Restatement (Third) of Agency, § 7.07 (2006), including that “[a]n employee’s act is not within the scope of employment when it occurs within an independent course of conduct  not intended by the employee to serve any purpose of the employer.”  Id. at § 707(2).  It also referred to Ingram vs. City of Indianapolis, 759 N.E.2d 1144 (Ind.Ct.App.2001), for the proposition that when some of the employee’s acts are of the same nature as those authorized by the employer and some not, whether the employee is acting within the scope of employment is a question of fact to be determined by the jury.  The court concluded that whether “Withers was acting in the scope of her employment was properly determined by the jury rather than as a matter of law by the trial court.”  Hinchy at 108.

Given the Ohio Supreme Court’s admonition that such issues usually present a fact question, summary judgment should not be entered in favor of a hospital on the issue of vicariously liability.

For more information about vicarious liability in HIPAA violation cases, contact us today at Mishkind Kulwicki Law Firm.

By David Kulwicki|2022-08-01T21:11:20+00:00April 6th, 2020|For Patients|Comments Off on Vicarious Liability in HIPAA Violation Cases

Share This Story, Choose Your Platform!

[map address="25550 Chagrin Blvd., Beachwood, OH 44122" type="roadmap" map_style="custom" overlay_color="" infobox="default" infobox_background_color="" infobox_text_color="" infobox_content="Mishkind Kulwicki Co., L.P.A." icon="//" width="100%" height="350px" zoom="12" scrollwheel="no" scale="no" zoom_pancontrol="no" popup="no" class="" id=""][/map]