This post was also written by Zachary A. Portin.

Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is the question that the U.S. Court of Appeals for the Second Circuit posed to the New York State Court of Appeals last month when it requested an advisory opinion from the state’s highest court in order to resolve Doe v. Guthrie Clinic Ltd.

Plaintiff Doe sued various Pennsylvania-based entities (the “Guthrie Defendants”) that owned and operated the Guthrie Clinic Steuben (the “Clinic”) located in New York after one of the Clinic’s nurses sent six text messages to Doe’s girlfriend informing her that Doe was being treated for sexually transmitted diseases.  Plaintiff Doe brought several tort claims against the Guthrie Defendants, including a novel claim that the common law cause of action for breach of the fiduciary duty to keep medical records confidential runs directly against medical corporations, even when the employee responsible for the breach is not a physician and acted outside the scope of her employment.

Although HIPAA does not create a private right of action under federal law, an aggrieved patient may avail himself or herself to state law causes of action.  For example, New York imposes a general duty to maintain the confidentiality of personal health information as well as a specific common law cause of action against a physician who improperly discloses confidential information.  In 2000, the Appellate Division of the New York State Supreme Court also held that a patient was permitted to sue a health insurer whose records clerk wrongfully disclosed treatment information.  Nevertheless, the Second Circuit elected to certify the question to the Court of Appeals with regard to the Guthrie Defendants after it concluded that no controlling precedent existed.

A favorable ruling for Plaintiff Doe threatens to vastly expand the scope of liability faced by providers and other entities involved in the delivery of healthcare.  Perhaps most concerning from the perspective of providers is the prospect of such entities facing liability under New York law for unforeseeable misconduct committed by non-physician employees.  Regardless of the Second Circuit’s ultimate disposition of this legal question, the case underscores the importance of developing and maintaining a robust compliance program to combat such misconduct.