Indiana Appellate Court Addresses Employer Liability For HIPAA Violation

The Court of Appeals of Indiana (“Indiana Appellate Court”) held in its opinion dated May 15, 2020 in a HIPAA violation case “there is an issue of fact as to whether [the employee’s] conduct was incidental to authorized employment activities. We therefore find that the trial court erred in granting summary judgment in favor of [the defendant health care provider] on the respondeat superior claim, reverse that portion of the order, and remand for further proceedings.”

The Underlying Facts

On October 19, 2017, the plaintiff went to her appointment at her OB/GYN’s office on the campus of defendant Parkview Health System, Inc. (“Parkview”). At that time, Alexis Christian (“Christian”) was employed by Parkview Physician Group—General Surgery as a medical assistant and occasionally worked with the OB/GYN group by assisting the staff with registering and rooming patients and inputting patient registration information into Parkview’s electronic health record system. Christian was working in this capacity on the day of the plaintiff’s OB/GYN appointment.

As a Parkview employee, Christian had signed a Confidentiality Agreement and an Acknowledgment Regarding Access to Patient Information, acknowledging her understanding of Parkview’s confidentiality policy.

During the plaintiff’s appointment, Christian accessed the plaintiff’s electronic health record for approximately one minute, purportedly to enter the plaintiff’s personal information from a patient information worksheet. At that time, Christian also asked another nearby medical assistant if she knew who the plaintiff was and was told that the plaintiff was a dispatcher.

Christian then immediately texted information about the plaintiff to Christian’s husband, disclosing the plaintiff’s name, the fact that she was a patient, a potential diagnosis, and that she worked as a dispatcher. Christian also texted her husband that the plaintiff was HIV-positive and had had more than fifty sexual partners, although this information was not included in her chart and was ultimately false. Christian testified during her deposition that she had been checking Facebook on her phone during her lunch break earlier that day and had seen that the plaintiff had liked a photo of her husband, and that she was concerned that the plaintiff and her husband may have had a sexual history together.

Christian’s husband’s sister subsequently used the husband’s phone and saw the texts from Christian about the plaintiff. The sister reported to Parkview that Christian had texted information about a patient and that a potential HIPAA violation had occurred. Parkview investigated the alleged HIPAA violation and subsequently terminated Christian’s employment. The plaintiff was advised about the unauthorized disclosure of her protected health information five days later.

The plaintiff filed a complaint for damages against Parkview alleging claims for respondeat superior, direct negligence for Parkview’s negligent training, supervision, and retention, and direct negligence for Parkview’s violation of its statutory and common-law duties of protection of privacy under HIPAA. Parkview moved for summary judgment on each of the three claims, arguing that (1) Parkview was not liable under respondeat superior because it did not authorize Christian’s conduct and there was no legitimate business reason for her conduct; (2) Parkview was not negligent in its training, monitoring, and supervision of its employees; and (3) no violation of HIPAA occurred.

The trial court ultimately granted summary judgment to Parkview on all three counts, and the plaintiff appealed as to the grant of summary judgment solely on the respondeat superior claim.

Indiana Appellate Court Opinion

Respondeat Superior

The Indiana Appellate Court stated, “When considering an employer’s liability for the actions of its employee, “[t]he general rule is that vicarious liability will be imposed upon an employer under the doctrine of respondeat superior where the employee has inflicted harm while acting ‘within the scope of employment’” and the employer would not otherwise be liable for its own acts.”

To fall within the scope of employment, the employee’s injurious act must either (1) be incidental to the conduct authorized, or (2) to an appreciable extent, further the employer’s business. Whether an act falls within the scope of employment is generally a question of fact.

The Indiana Appellate Court stated that employers will not be held responsible for acts that are entirely unauthorized or for acts done on the employee’s own initiative, with no intention to perform it as part of or incident to the service for which he is employed. If some of the employee’s actions were authorized, the question of whether the unauthorized acts were within the scope of employment is one for the jury. If none of the employee’s acts were authorized, the matter is a question of law.

In the case it was deciding, the Indiana Appellate Court stated that the evidence shows that Christian’s misconduct was “of the same general nature” as her regular and authorized job duties (i.e., accessing a patient’s chart would be a standard part of Christian’s assigned role). Furthermore, Christian was in the midst of performing authorized job duties—namely, entering patient information into the electronic charts—when she accessed the plaintiff’s record and proceeded to text information about the plaintiff to her husband, “thereby making the misconduct “intermingled” with her ordinary, authorized job duties.”

The Indiana Appellate Court stated, “even if the specific act of texting information about [the plaintiff] was not authorized, Christian’s misconduct occurred while at work and was sandwiched between other authorized job functions—facts which weigh in favor of finding that the misconduct was within the scope of employment … Christian was at work, used Parkview’s equipment, and utilized access granted by Parkview in committing the wrongful acts … This also weighs in favor of Court of Appeals of Indiana | Opinion 19A-CT-2671 | … finding that Christian was acting within the scope of her employment, as it suggests that, at least to some degree, Christian’s employment at Parkview enabled her to commit the misconduct in question.”

The Indiana Appellate Court further stated, “Next, the fact that the wrongful act violates an explicit policy or rule of the employer’s does not preclude respondeat superior … The scope of employment may include acts that the employer expressly forbids … Therefore, Parkview may be held vicariously liable for Christian’s misconduct even if the actions in question ran directly counter to Parkview rules or policies, such as the Confidentiality Agreement and the Acknowledgment Regarding Access to Patient Information.”

The Indiana Appellate Court held: “Because at least some of the acts surrounding Christian’s misconduct were authorized, the issue of respondeat superior must be left to the jury … [B]ecause the evidence demonstrates that even just some of Christian’s acts were authorized—for example, accessing the chart to input patient information, as discussed previously—the issue is inappropriate for summary judgment.”

“We do not disagree that subjective intent and a focus on the specific act of misconduct, rather than the whole employment context, are relevant considerations in the second prong of the scope of employment framework, which considers whether the injurious act “further[ed] the employer’s business” … But where Parkview’s proffered analysis falls short is that it focuses solely on these considerations—relevant only to half of the possible scope of employment framework—and wholly fails to address any arguments made with regards to whether Christian’s actions fit under the “incidental to” prong … subjective motivation is relevant only as to whether the misconduct furthers the employer’s interests, not whether it was incidental to authorized conduct.”

“[W]e find that that there is a genuine issue of fact on the scope of employment issue; specifically, there is an issue of fact as to whether Christian’s conduct was incidental to authorized employment activities. We therefore find that the trial court erred in granting summary judgment in favor of Parkview on the respondeat superior claim, reverse that portion of the order, and remand for further proceedings.”

A dissenting opinion stated: “I conclude that the trial court properly granted summary judgment to Parkview because Christian was not acting in the scope of her employment … Christian accessed the medical records for a non-employment related reason in direct violation of the Parkview Confidentiality Agreement and Acknowledgement that Christian signed. I conclude, based on Hayden, that the trial court properly granted summary judgment to Parkview. Accordingly, I dissent.”

Source SoderVick v. Parkview Health System, Inc., Opinion 19A-CT-2671.

If you or a loved one were harmed as a result of a HIPAA violation in Indiana or in another U.S. state, you should promptly find an Indiana medical malpractice lawyer, or a medical malpractice lawyer in your state, who may investigate your HIPAA violation claim for you and represent you or your loved one in a HIPAA violation case, if appropriate.

Click here to visit our website or call us toll-free in the United States at 800-295-3959 to find medical malpractice attorneys in your U.S. state who may assist you.

Turn to us when you don’t know where to turn.

This entry was posted on Saturday, July 4th, 2020 at 5:22 am. Both comments and pings are currently closed.

placeholder

Easy Free Consultation

Fill out the form below for a free consultation or contact us directly at 800.295.3959

[recaptcha]

Easy Free Consultation

Fill out the form below for a free consultation or contact us directly at 800.295.3959

[recaptcha]