In July 2010, a man entered the Guthrie Clinic in Coning, New York to receive treatment for a sexually transmitted disease. As it happened, a nurse at the clinic knew the man, identified only as “John Doe” in court documents. Doe was the boyfriend of the nurse’s sister-in-law.
So the nurse texted her sister-in-law to inform her that Doe had an STD. The sister-in-law then forwarded the message to Doe, who filed a complaint with the clinic. Guthrie acknowledged the misconduct and fired the nurse. Doe sued the Guthrie Clinic, charging that the institution is liable for the disclosure of his personal information.
Last week, however, the state’s highest court ruled against Doe, clearing Guthrie of legal liability. The clinic should not be held responsible for a worker’s action that “is not within the scope of employment,” the New York State Court of Appeals stated in a majority decision.
The nurse was motivated by “personal reasons” that had nothing to do with Doe’s treatment and care, the majority noted. As a result, the clinic could not have been expected to prevent her misconduct.
“A medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment,” wrote Judge Eugene Pigott, speaking for the six-justice majority.
Holding a clinic liable for “any disclosure by an employee… is unnecessary and against precedent,” Pigott continued, explaining that an institution could still be found liable if it had failed to establish policies and procedures aimed at maintaining patient confidentiality.
Judge Jenny Rivera, the sole dissenter, countered that a medical establishment should have higher standards for protecting patients in an era when unauthorized disclosures can spread quickly. It should be held liable, she argued, “for its own failure to prevent breaches of confidentiality by employees who act outside the scope of their employment.”
“The ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality,” she wrote. “Societal interest in maintaining patient privacy in medical records is served through a robust tort system, responsive to the realities of the ease of disclosure.”
Next: the text of the court’s decision.