In Doe v. Guthrie Clinic, Ltd., the New York Court of Appeals considered the following question:
Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?
The answer, according to the court, is “no”.
[Plaintiff] was being treated for a sexually transmitted disease (STD) at the Guthrie Clinic Steuben, a private medical facility. A nurse employed by the Clinic recognized Doe as the boyfriend of her sister-in-law. The nurse accessed Doe’s medical records and learned that he was being treated for the STD. While Doe was still awaiting treatment, she sent text messages to her sister-in-law informing her of Doe’s condition. The sister-in-law immediately forwarded the messages to Doe; according to Doe, the messages suggested that staff members were making fun of his medical condition.
The Second Circuit previously found that the nurse’s actions were not foreseeable to defendants, and that her actions were not taken within the scope of her employment (such that her actions could not be imputed to defendants on the basis of the doctrine of respondeat superior).
Generally, a hospital or medical corporation may be held vicariously liable for the wrongful acts of its employees. However, [u]nder the doctrine of respondeat superior, an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in furtherance of the employer’s business and within the scope of employment. Thus, a medical corporation is generally not liable for a tort of an employee when such an action is not within the scope of employment. (Emphasis added)
The court cited its decision in N.X. v. Cabrini Med. Ctr. in which it declined to “hold a medical corporation to a ‘heightened duty’ for an employee’s misconduct”. It reasoned that while a hospital does have a “duty to safeguard the welfare of its patients”, that duty is limited in that it “does not render a hospital an insurer of patient safety” and “is circumscribed by those risks which are reasonably foreseeable.”
Applying this reasoning here, the court declined to “impose absolute liability on the medical corporation for an employee’s dissemination of a patient’s confidential medical information” and held that “a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.”