Earlier this week, I mentioned the Doe v. Guthrie Clinic, Ltd.^[1] case and what it may mean for provider liability. In a nutshell, the plaintiff in Guthrie seeks to extend the fiduciary duty of patient confidentiality beyond the licensed provider to the medical corporation, including hospitals and medical practices.  Under the proposed theory, the hospital or medical practice could be held directly liable for the unauthorized disclosure of patient information regardless of whether an employee disclosed the information within the scope of employment.  In other words, the unauthorized disclosure of patient information would be attributed to the medical corporation, which acting through its representatives, breached patient confidentiality.

In Guthrie, the Plaintiff was at the Guthrie Clinic for the treatment of a sexually transmitted disease.  Megan Stalbird was a nurse at the clinic and also the sister-in-law of Plaintiff’s girlfriend, Jessica.

While Plaintiff was receiving treatment, Stalbird sent several text messages to Jessica discussing Plaintiff’s STD (for reasons unrelated to Plaintiff’s care (and thus, outside the scope of her employment)).  Plaintiff subsequently learned about the text messages and notified the clinic. The clinic fired Stalbird and readily admitted to the breach of health information.

The Guthrie plaintiff then brought suit against the clinic for common law breach of fiduciary duty to maintain the confidentiality of personal health information, breach of contract, negligent hiring, negligent infliction of emotional distress, intentional infliction of emotional distress, and breach of duty to maintain the confidentiality of personal health information under three New York laws.

The district court dismissed all eight of these claims.  On appeal, Plaintiff challenged the district court’s ruling that a medical corporation cannot be held directly liable for breach of fiduciary duty of confidentiality.  The Second Circuit held that the availability of a common law cause of action against the clinic under the proposed theory is a question for the New York Court of Appeals.  The appeal has been stayed in the Second Circuit pending an answer.

There is very little case law on the issue, but the Second Circuit likened Guthrie to an earlier New York case in which a medical records clerk disclosed information about a patient’s treatment by a psychiatric social worker.^[2] In that case, the New York court held that the medical corporation could be liable for the breach by its employee because “[t]o hold otherwise would render meaningless the imposition of such a duty on a medical corporation, since the wrongful disclosure of confidential information would never be within the scope of the employment of its employees.”^[3]

The Guthrie court expressed reluctance to permit or prohibit the proposed expansion of fiduciary liability to medical corporations based on the single New York State case noting that the case lacks statutory authority or case law precedent.^[4]

While we wait for the outcome of Guthrie, now is the perfect time to review, evaluate, and update effective employee policies and training resources to protect and secure patient information.  Such policies and training should cover the use of SMS texting and the use (or nonuse) of social media tools.  For helpful suggestions on the use of SMS texting, see the McBrayer Health Law Blog post, “The Wild Wild West of SMS,” 10/04/2012.

_{[1]Doe v. Guthrie Clinic Ltd., 12-1045-cv (2nd Cir. 2013)}

_{.[2] Doe v. Cmty Health Plan-Kaiser Corp., 709 N.Y.S.2d 215 (3d Dep’t 2000).}

_{[3] Id. at 218.}

_{[4]  Guthrie at 7}.