The Spectre of Strict Liability For An Employee’s HIPAA Breach

by John Zen Jackson

On May 7, 2015, the Supreme Court of Indiana denied any further review in the matter of Walgreen Company v. Hinchy  This denial of review leaves standing the opinion of the intermediate Court of Appeals that had upheld a $1.44 million verdict against Walgreen Company for a breach of confidentiality by an employed pharmacist. Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), 29 N.E.3d 748 (Ind. Ct. App.), transfer denied, 2015 Ind. LEXIS 374 (Ind. 2015).

The pharmacist had accessed the prescription records of a woman customer who had been romantically involved with the pharmacist’s boyfriend and eventual husband and divulged information she obtained to him.   The disclosed information related to birth control prescriptions and sexually transmitted diseases and was used by the boyfriend in an attempt to have the woman relent on her paternity claims against him.  All of this came to the knowledge of the woman’s family and friends.

Hinchy is notable not only for the size of the verdict but also as another instance of the expanding number of cases finding a state-law cause of action for a HIPAA breach.  This issue has previously been identified in this blog.

But the decision is more noteworthy in its imposition of vicarious liability on the employer.  The Indiana Court of Appeals rejected out of hand the Walgreen position that the pharmacist had acted on her own and outside the scope of her employment as a pharmacist.  It did not matter to the court that Walgreen had in place policies restricting the use and disclosure of HIPAA PHI and a computer audit trail that identified the pharmacist’s accessing of the records and confirmed the breach.   Walgreen also had a training program for employees to encourage adherence to the policies regarding non-disclosure of patient confidential information.  Before jury selection, the trial judge had granted partial summary judgment in favor of Walgreen on an allegation of negligent training.   While the trial judge had denied the part of that motion challenging negligent supervision of the pharmacist by Walgreen, the Court of Appeals stated that it was not considering the supervision claim at all and that its determination of liability was based solely on respondeat superior.  It approved of the following jury instruction:

An employer is liable for the wrongful acts of its employee which are committed within the scope of employment.

An act is within the scope of employment if it is incidental to the employee’s job duties, that is to say, the employee’s wrongful act originated in activities closely associated with her job.

In deciding whether an employee’s wrongful act was incidental to her job duties or originated in activities closely associated with her job, you may consider:

1. whether the wrongful act was of the same general nature as her authorized job duties;

2. whether the wrongful act is intermingled with authorized job duties; and

3. whether the employment provided the opportunity or the means by which to commit the wrongful act.

Contrary to Hinchy is the outcome and analysis in Bagent v. Blessing Care Corp., 862 N.E.2d 985 (Ill. 2007), in which a hospital-employed phlebotomist received a fax from a facility that performed laboratory tests for the hospital at which she was employed.  The fax had the results of a pregnancy test for the plaintiff indicating that she was pregnant.  A few days later the phlebotomist was at a tavern with friends when she saw the plaintiff’s sister and asked how the sister was doing with the pregnancy assuming she knew of it.  She did not.  The Illinois Supreme Court ruled that this conduct was outside the scope of the phlebotomist’s employment.

The established doctrine of respondeat superior provides that an employer faces liability to persons harmed by employees acting in the course of their employment.  Generally, a master is not subject to liability for the torts of his or her servants acting outside the scope of their employment, unless: (a) the master intended the conduct or the consequences, or (b) the master was negligent or reckless, or (c) the conduct violated a non-delegable duty of the master, or (d) the servant purported to act or to speak on behalf of the principal and there was reliance upon apparent authority, or he or she was aided in accomplishing the tort by the existence of the agency relation. More particularly, intentional torts and crimes rarely fall within the scope of employment because an employer is not responsible for acts that are clearly inappropriate or unforeseeable in carrying out authorized tasks.  In Davis v. Devereux, 209 N.J. 269 (2010), the Supreme Court conducted an extensive review of the principles of respondeat superior with particular reference to the scope of employment issues.  In Davis as it had on several occasions, the Court noted that the determination of whether or not a particular act is within or outside the scope of employment involves a fact-specific inquiry.  That will be quite true in connection with allegations of tortious HIPAA breaches.

The Court in Davis also looked at the exception to employer vicarious liability based on a non-delegable duty.  Although the non-delegable duty doctrine has been used in a healthcare context, see Marek v. Professional Health Services, Inc., 179 N.J. Super. 433, 441-42 (App. Div. 1981), the Court underscored its reluctance to impose liability on the basis of this concept.  It results in liability regardless of whether the employer acted with care in hiring and training an employee and regardless of whether the employee acted within the scope of his or her employment.  Although the Indiana Court of Appeal did not use the terminology of “non-delegable duty,” its holding is consistent with that analysis.  Finding of a non-delegable duty in connection with HIPAA medical privacy issues will open expansive tort liability for employers.  There are a number of instances in which creative plaintiff’s attorneys have attempted to construct liability claims based on an asserted “non-delegable duty” arising out of Federal regulations.  This is something to watch out for in connection with HIPAA breach torts.  As illustrated in a number of recent state cases, including more recently Hinchy, while the source of a duty may be state law which provides the private cause of action, the standard of care is derived from the Federal regulation.  It is indeed something to watch out for.