Share this article on:
When healthcare employees access patient data without authorization it is a clear violation of the Health Insurance Portability and Accountability Act’s Privacy Rule, but is the employer liable for the privacy breach?
In 2016, Lindsey Parker, a patient of Carilion Healthcare Corp’s Carilion Clinic in Virginia, took legal action against the clinic and Carilion Healthcare Corp after it was discovered that two employees of the clinic had accessed her medical records and impermissibly disclosed a past diagnosis.
The privacy breach occurred in 2012 which parker was a patient of the Carillion Rocky Mount Obstetrics & Gynecology clinic. Parker was visiting the clinic about a matter unrelated to her previous diagnosis and while waiting for treatment, Parker spoke with an acquaintance in the waiting room – Trevor Flava.
Parker alleged that a Carillion employee, Christy Davis, saw the couple talking and accessed Parker’s medical record and saw her previous diagnosis. Davis is then alleged to have contacted her friend, Lindsey Young, who worked in another Carillion facility and disclosed the diagnosis and that Parker was conversing with Flava. Young then allegedly accessed Parker’s record, confirmed the diagnosis, and disclosed that diagnosis to Flava.
Parker and her legal team sued Carilion Healthcare Corp, the Carilion Clinic, and both Carillion employees over the impermissible disclosure of her health information. In Parker’s complaint it was alleged that Carillion was directly and vicariously liable for the breach – Directly for the failure to secure her medical records and vicariously liable under respondeat superior principles. Parker also claimed that the breach amounted to negligence and a violation of HIPAA Rules for failing to ensure the confidentiality of her medical record. Parker also claimed the HIPAA violation constituted also constituted a violation of Virginia law.
Carillion argued that the employees had acted outside the scope of their employment, which precluded the respondeat superior claim, and contested the legal viability of the HIPAA violation claim. The Virginia circuit court sustained the demurrers and Parker was granted 21 days to submit an amended complaint. That did not happen, although a notice of appeal was submitted within the legal time frame on December 2, 2016.
The lawsuit has now been partially resurrected by the Virginia Supreme Court. The decision on the claim of direct liability has not been reversed, but the circuit court’s decision on the respondeat superior claim of vicarious liability has.
“Because none of these factual contests can be addressed at the pleading stage of this case, we reverse the circuit court’s order sustaining Carilion’s demurrer,” wrote Justice D. Arthur Kelsey in his opinion. Further consideration is needed on the circumstances that led to the accessing of Parker’s medical records by the employees, the reason why that information was shared, and whether the employees were actively involved in a job-related service at the time of the violation.