94 Annals of Health Law Vol. 25
This contextual requirement of a confidential relationship could be established against providers via the traditional physician-patient relationship and against developers with an implied contract argument. Most jurisdictions now recognize the breach of confidence as a tort.234 It is essentially a strict liability action235 and, at least in this regard, is similar to HIPAA and state health privacy statutes. To prevail against a provider, the plaintiff would have to prove “unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.”236 Recently, a further limitation was recognized by the New York Court of Appeals, which held that a claim for unauthorized disclosure of medical information could not run directly against medical corporations when the employee responsible for the breach was not a physician and was acting outside the scope of her employment.237 Beyond issues arising in breach of confidence cases, there is a growing body of fact-intensive case law dealing with the responsibility of healthcare data custodians for the misfeasance of their employees.238 A common issue in privacy and security litigation is how such state’s causes of action interact with the HIPAA privacy and security rules. As decisively stated by the Fifth Circuit in Acara v. Banks:
HIPAAdoesnotcontainanyexpresslanguageconferringprivacyrights upon a specific class of individuals. Instead, it focuses on regulating persons that have access to individually identifiable medical information and who conduct certain electronic health care transactions. HIPAA provides both civil and criminal penalties for improper disclosures of medical information. However, HIPAA limits enforcement of the statute to the Secretary of Health and Human Services. Because HIPAA specifically delegates enforcement, there is a strong indication that
Unpub. LEXIS 85, at 8-9 (Ky. Ct. App. Mar. 24, 2006). 234. See, e.g., Biddle v. Warren Gen. Hosp., 715 N.E.2d 518, 523 (Ohio 1999). 235. See generally Vassiliades v. Garfinckel’s, Brooks Bros., 492 A.2d 580, 590 (D.C. 1985) (reasoning that the “limited duty conveys a standard that is more strict than the reasonable man test”). 236. See Biddle, 715 N.E.2d at 528. 237. Doe v. Guthrie Clinic, Ltd., 5 N.E.3d 578, 582 (N. Y. 2014). 238. See, e.g., Walgreen Co. v. Hinchy, 21 N.E.3d 99, 103 (Ind. Ct. App. 2014) (ruling on question of fact as to whether pharmacist acting within scope of employment when she looked up prescription records belonging to girlfriend of ex-partner); cf. Robbins v. Trs. of Ind. Univ., No. 49A04-1412-CT-583, 2015 Ind. App. LEXIS 663 (Ct. App. Oct. 2, 2015) (holding that while the nurse’s employer, the trustees, authorized her to access patient information for business reasons, she was expressly not authorized to access, use, or disclose the information for personal, unauthorized, unethical, or illegal reasons, and the nurse’s actions were not sufficiently associated with her employment duties so as to have fallen within the scope of her employment); cf. Sheldon v. Kettering Health Network, 40 N.E.3d 661, 675 (Ohio Ct. App. 2015).