Accessing of patient information by healthcare employees who are not authorized to do so is clearly a violation of the Health Insurance Portability and Accountability Act’s Privacy Rule. Are employers also accountable for the privacy breach caused by snooping employees under HIPAA ?
A patient of Carilion Healthcare Corp’s Carilion Clinic based in Virginia with the name of Lindsey Parker filed a legal case against Carilion Clinic and Carilion Healthcare Corp in 2016 because of an incident involving two of its employees who viewed her healthcare information and impermissibly shared her past diagnosis.
The privacy breach occurred in 2012 when Parker visited the Carillion Rocky Mount Obstetrics & Gynecology clinic to consult the doctor about an issue that is not connected to her previous diagnosis. While in the waiting room, Parker talked with Trevor Flava, who was an acquaintance.
Based on Parker’s allegations, Carilion employee, Christy Davis, accessed the clinic’s healthcare record system and viewed Parker’s past diagnosis. Then Davis got in touch with her friend, Lindsey Young, who worked in another department and talked to her about Parker’s past condition. Davis also told Young that Parker is talking with Flava. To verify what she’s been told, Young allegedly checked Parker’s healthcare record, and disclosed it to Flava.
Parker together with her lawyer sued not just the two Carilion employees, but also Carilion Clinic and Carilion Healthcare Corp for the impermissible disclosure of her healthcare records. Parker argued that Carilion Clinic has direct liability for this privacy breach because Carilion failed to protect her healthcare data privacy and was vicariously accountable as per the respondeat superior principles. Carilion also acted partly in negligence, failing to secure the privacy of her health records, which is a violation of the HIPAA Rules. Parker furthermore claimed that a HIPAA violation is also a Virginia law violation.
Carilion contested the allegations and said that the employees behaved in ways that were not allowed by their employment, thus the respondeat superior claim does not apply nor is the claim on HIPAA violation valid. The Virginia circuit court decided in favor of the contention and Parker was told to file an amended complaint within 21 days. Parker didn’t conform to the decision, although Parker filed a notice of appeal on December 2, 2016, a time still allowed by law.
Presently, the Virginia Supreme Court partly resurrected the case. There is no decision nor reversal yet regarding the alleged direct liability, but, the circuit court has already made a decision regarding the respondeat superior claim of vicarious liability.
According to Justice D. Arthur Kelsey, since no factual contests are generally presented during the case’s pleading stage, the circuit court’s decision sustaining Carilion’s demurrer was reversed. Other consideration is required on the instances contributing to the access of the patient’s healthcare records by the personnel, the reason for disclosing the information, and whether the employees were on-duty when they committed the violation.