If someone at a hospital accesses and distributes a patient’s private medical information, what is the proper process that the patient should use to pursue their claims? In this case, the plaintiffs did not try to take their claims through the medical panel review process—and this was the correct decision.
Heather and Katrina worked together at IOC for 5 years, during which Katrina was Heather’s direct supervisor. At some point, Katrina introduced Heather to her step-son, Kevin, the two began dating, and eventually married. However, the marriage did not last, and Heather and Kevin divorced in 2010. Heather received custody of the couple’s two children, and she later married Daniel. Heather’s relationship with Katrina’s family was strained after this.
In 2012, Community acquired IOC and trained Katrina as a medical records coordinator. This included training on patient confidentiality and HIPPA. After successfully completing this training, Katrina was given access to Epic, Community’s electronic medical records system. She was given permission to schedule appointments and release records of the patients only within IOC. She was strictly prohibited from accessing any patient record without a business need or for personal reasons.
Katrina did not follow these rules and looked up medical records of multiple patients, including Heather and her family between January and September 2013. And this happened on Community computers while she was on the job. Community informed the patients of Katrina’s unauthorized access to their records and terminated Katrina. The plaintiffs filed suit against Community based on Katrina’s unauthorized access of their medical records. Community moved to dismiss, arguing that the trial court did not have subject matter jurisdiction because they did not go through the medical panel review process. Community also moved for summary judgment, arguing that (1) it was not vicariously liable for Katrina’s conduct, (2) it owed no actionable duty, and (3) plaintiffs were not damaged by the breach. The trial court denied both motions, and Community appealed.
The Court addressed Community’s motion to dismiss first on appeal. It started its analysis with the statutory definition of medical malpractice—“a tort or breach of contract based on health care or professional services that were provided, or that should have been provided, by a health care provider, to a patient.” The Court said that this definition did not extend to cases of ordinary negligence against healthcare providers. In order to determine whether the plaintiff’s claims fell within the Medical Malpractice Act, the Court would need to look to the substance of the claims. And the claims here did not fall within the statutory definition of malpractice.
Contrary to Community’s assertions, we do not find Gordon persuasive here because its holding on the maintenance of records is not applicable to this case. Gordon dealt with the “skillful, accurate, and ongoing” maintenance of a patient’s health records by “physicians and other health care providers” so that the health care providers can have access to relevant information for the treatment of their patients. The underlying claims against the hospital and one of its physicians were for medical malpractice and, importantly, spoliation, claiming that the hospital lost health records that were vital to the medical malpractice claim. Here, the underlying claims against Community are for respondeat superior and negligent training, supervision, and retention. Appellees do not allege that records were lost, nor do they claim that Katrina provided them medically improper treatment; rather, their claims against Community arise from Katrina’s access of their confidential health information records. As such, the MMA does not apply to Appellees’ claims because the conduct at issue is “demonstrably unrelated to the promotion of the plaintiff’s health or an exercise of the provider’s professional expertise, skill, or judgment.”
The Court then turned to Community’s summary judgment motion. Community argued that there was no respondeat superior in this case because Katrina was acting outside the scope of her employment when she accessed the medical records. Again, the Court disagreed. It first distinguished this case from an earlier one involving similar facts, for in that earlier case the employee admitted that she accessed the patient’s information solely for personal reasons and that she was acting on her own initiative and not within the scope of her employment. There was no such admission here (although this will likely be an important factual question). Instead,
Katrina’s actions were of the same general nature as those authorized, or incidental to the actions that were authorized, by Community. There is no dispute that Katrina was authorized to use her assigned desktop computer with Epic and other software to access patient health information. There remains a question of fact regarding why and what Katrina did with Appellees’ private health information. Because Katrina misused employerconferred power and authority to access the health information, whether Katrina was acting within the scope of her employment is an issue to be determined by the trier of fact.
Turning to the question of duty, the Court rejected Community’s assertion that it owed plaintiffs no actionable duty to protect the confidentiality of their medical information. The Court noted that neither Indiana nor federal statutes protecting this kind of information create a private right of action.
However, the absence of a private right of action under either statute does not necessarily resolve the issue before us. … In Henry, … this Court concluded that “there is–and, in modern times, always has been–a common law duty of confidentiality owed by medical providers to their patients.” … [I]n response to a request for admission, Community admitted that “it had a responsibility to provide reasonable and appropriate safeguards to ensure confidentiality, integrity, and availability of the electronic protected health information of its patients.” Accordingly, Community’s argument that it negated the element of a duty owed to Appellees fails.
Community argued that even if it owed a duty, then it did not breach that duty because it appropriately trained and supervised Katrina. The Court found a genuine issue of fact on this issue. In doing so, it pointed to the opinion of plaintiff’s expert, who stated that “[t]he fact that [Katrina] accessed private patient information and no one at the hospital was aware of the same for such a long period of time indicates that even if there are protocols in place, they are not being followed appropriately.”
[I]t is not enough for Community to point to its training and education materials that should have prevented Katrina’s access of Appellees’ health information. Indeed, our supreme court has held that “[e]ven though an employee violates the employer’s rules, orders, or instructions, or engages in expressly forbidden actions, an employer may be held accountable for the wrongful act if the employee was acting within the scope of employment.” Thus, the conflicting designated evidence creates genuine issues of material fact as to whether Community breached its duty to protect the confidentiality of Appellees’ records.
Finally, the Court addressed Community’s argument regarding a lack of damages, and found that Community was ignoring Indiana’s summary judgment standard when making this argument:
Community argues that Appellees’ negligent supervision, training, and retention claim “must fail because they failed to proffer any evidence of an injury which resulted from [it’s] actions.” However, it is well-settled that although federal practice permits the moving party to merely show that the party carrying the burden of proof at trial lacks evidence on a necessary element, Indiana state courts impose a more onerous burden: to affirmatively “negate an opponent’s claim.” Here, Community’s designated evidence and argument in support of summary judgment on Appellees’ injury do not affirmatively negate Appellees’ claim.
Community did win one small victory. One of the plaintiffs’ claims was for invasion of privacy, and the Court said that this claim “must fail,” because Indiana has not recognized the sub-tort of public disclosure of private facts as an actionable claim.
1. Negligence related to unauthorized access to medical records is not covered by Indiana’s Medical Malpractice Act.
2. A hospital employee who improperly accesses a patient’s medical records from hospital computers on hospital time may be working within the scope of their employment.
3. Medical providers owe their patients a common-law duty to keep the patients’ information confidential.
4. Indiana still does not recognize an invasion of privacy claim based on public disclosure of private facts.