Cleveland HIPAA Violation Lawyer

In Ohio, a patient’s right to privacy of their medical records emanates from both federal law and state common law.  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides the essential federal regulatory framework for protection of patients’ protected healthcare information.  OhioHealth Corp. v. Ryan (2012), 2012-Ohio-60, 10AP-937.  However, HIPAA laws do not include a private right of action, so claims must proceed pursuant to Ohio common law claim for violation of the right to privacy.  Many people still wrongly refer to these cases as “HIPAA violation” cases.

The basic elements of a claim for violation of the right to privacy is set forth in Biddle vs. Warren Gen. Hosp. (1999), 86 Ohio St.3d 395.  The syllabus in Biddle provides as follows:  “In Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or a hospital has learned within a physician-patient relationship.”  This rule has been applied to other healthcare providers, such as hospital employees.

As a Cleveland HIPAA violation lawyer, I see that, in defending these claims, hospitals assert that employees who snoop into patient’s records out of curiosity or to gain information on a rival to use against them are acting outside the scope of their employment.  In most cases, when an employee causes injury to another, the employer is held liable for the employee’s actions.  However, at least one court, in Sheldon v. Kettering Health Network,  has agreed that a hospital employee’s snooping into a patient’s records is not within the course and scope of employment as a matter of law.  This is simply unjust. Worse, this decision ignores the regulatory framework established by HIPAA laws.

Pursuant to HIPAA, the Department of Health and Human Services has promulgated regulations for hospitals that places the duty to protect patients’ protected healthcare information squarely on the hospital.  OhioHealth Corp., supra.   In this regard, HIPAA’s regulatory requirements, set forth in 45 CFR §§160 and 164, include the following requirements for protection of patient’s electronically-stored health information:

Covered entities and business associates must do the following:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required ….
  4. Ensure compliance with this subpart by its workforce.

45 CFR §164.306(a). 

In addition to these general requirements, the regulatory framework includes specific requirements for training the covered entities’ workforce not to snoop, but also the implementation of “physical safeguards” and “technical safeguards” that prevent such unauthorized access to patients’ protected health information.  45 CFR §164.310(a)(1) sets forth the requirements for physical safeguards.  These mandatory requirements include the implementation of “policies and procedures to limit physical access to its electronic information systems,” “policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access …,” and “procedures to control and validate a person’s access to facilities based on their role or function ….”

The technical safeguard requirements are set forth at 45 CFR § 164.312.  They include the implementation of “technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights ….”

When a hospital employee snoops into a patient’s records, the patient’s right to privacy of her protected healthcare information is violated in three separate ways.  First, the hospital violates the right to privacy by disclosing the patient’s protected healthcare information to all of its employees having access credentials, if the hospitals failed to implement a physical or technical software-based “firewall” to prevent access by its employees who have no authority or business reason for doing so.  In failing to maintain these safeguards, the hospital failed to “[e]nsure the confidentiality… of all electronic protected health information” and failed to “[p]rotect against any reasonably anticipated… disclosures of such information that are not permitted…,” as required by 45 CFR § 164.306(a).  By disclosing patient’s electronic medical records to all hospital employees with access to the electronic medical record system, including unauthorized employees, the hospital directly violates HIPAA laws and the patient’s common law right to privacy.

Hospitals argue that their employees must have access to all CCF patient records at all times due to potential emergencies.  However, HIPAA’s technical safeguard requirements include a requirement that the covered entity “[e]stablish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”  45 CFR § 164.312.  So, the hospital must prove that access was obtained by operation of an emergency protocol.

The second way in which hospitals may violate a patient’s right to privacy is by being held vicariously liable for the actions of its employee who accessed the patient’s protected healthcare information without authorization or a business reason for doing so in the course and scope of her employment. Ohio law is clear that “an employee’s wrongful act, even if it is unnecessary, unjustified, excessive, or improper, does not automatically take such act manifestly outside the scope of employment.” Siegel v. State, 2015-Ohio-441, 28 N.E.3d 612, ¶ 31 (10th Dist.), also see Osborne v. Lyles (1992), 63 Ohio St.3d 326, 330 (“the willful and malicious character of an employee’s act does not always, as a matter of law, remove the act from the scope of employment.”).

The Supreme Court of Ohio discussed the boundaries of the doctrine of respondeat superior in Osborne v. Lyles (1992), 63 Ohio St.3d 326.  In Osborne, the Court held that summary judgment was not proper on the issue of whether a municipality could be held vicarious liable for an assault committed by one of its police officers even though the officer was off duty at the time of the assault.  The Court confirmed that “it is commonly recognized that whether an employee is acting within the scope of his employment is a question of fact to be decided by the jury.”  Id. at 330 (citations omitted).

The Osborne Court set forth general principles of respondeat superior as follows:

The doctrine of respondeat superior is expressed in the Restatement of the Law 2d, Agency (1958) 481, Section 219(1), which states as follows: “A master is subject to liability for the torts of his servants committed while acting in the scope of their employment.” Ohio law provides, “[i]t is well-established that in order for an employer to be liable under the doctrine of respondeat superior, the tort of the employee must be committed within the scope of employment.  Moreover, where the tort is intentional, * * * the behavior giving rise to the tort must be ‘calculated to facilitate or promote the business for which the servant was employed * * *.’ ” (Citations omitted.) Byrd v. Faber (1991), 57 Ohio St.3d 56, 58, 565 N.E.2d 584, 587.

***

The willful and malicious character of an employee’s act does not always, as a matter of law, remove the act from the scope of employment. Stranahan Bros. Catering Co. v. Coit (1896), 55 Ohio St. 398, 410, 45 N.E. 634, 637; Wiebold Studio, Inc. v. Old World Restoration