Indiana Appellate Court Allows Case to Proceed Against Doctor Accused of Improperly Accessing Patients’ Medical Records
By Damian D. Capozzola, Esq.
News: The Court of Appeals of Indiana recently revived a case involving significant allegations of breaches of privacy and professional misconduct against a doctor and hospital group. The central figure in the controversy is a doctor who was accused of improperly accessing the medical records of 13 women whom he had encountered in various social settings and who subsequently filed a lawsuit against him and his employer.
The plaintiffs alleged that the doctor’s unauthorized access to their medical records comprised a severe privacy breach. They sought to hold his employer, the hospital, vicariously liable as well. In the trial court, the hospital argued that the doctor acted outside the scope of his employment and claimed that Indiana law did not recognize the plaintiffs’ claim for intrusion into emotional solace. After the trial court granted summary judgment in favor of the hospital, the plaintiff patients appealed. The Court of Appeals affirmed in part and reversed in part. It upheld the trial court’s decision not to recognize the tort of intrusion into emotional solace but found genuine issues of material fact regarding the claims of intentional infliction of emotional distress (IIED) and whether the doctor’s actions were within the scope of his employment. The appellate court remanded these issues for further proceedings in the trial court.
The case underscores the importance of privacy safeguards, the potential for hospital liability for the acts of its doctors (in states where that may apply), and the evolving legal landscape concerning emotional distress claims and privacy torts in the medical field.
Background: In late 2018, the defendant hospital employed the doctor in their urgent-care centers. As part of his employment agreement, the doctor agreed to adhere to the hospital’s policies against accessing patient records for personal reasons. Despite this, in early 2020, the doctor accessed the medical records of a former patient without her knowledge. The patient later reported that the doctor had contacted her via social media.
In 2021, the hospital implemented violation-detection software that flagged the doctor’s suspicious activities. An internal investigation revealed that over a year-and-a-half period, the doctor had accessed the records of 46 individuals who had never been his patients. Upon confrontation, the doctor admitted to these violations, resulting in his termination. The hospital then notified the affected individuals.
Thirteen women among the notified group, all of whom had unusual and discomforting interactions with the doctor in social settings, filed a lawsuit. These women described various instances where the doctor’s behavior toward them was distressing. For example, two of the patients met the doctor at bars where he would follow them and try to engage with them socially, and other patients also recounted similar experiences of being followed and contacted inappropriately by the doctor.
The plaintiffs brought claims against the doctor and the hospital for invasion of privacy by intrusion into emotional solace and IIED. The patients also sought to hold the hospital vicariously liable for the doctor’s actions under the doctrine of respondeat superior, which requires that the doctor’s actions were within the scope of his employment.
In the trial court, the hospital sought summary judgment, arguing that Indiana law does not recognize the tort of intrusion into emotional solace and that the doctor’s actions were outside the scope of his employment. The trial court granted the hospital’s motion, and the plaintiffs appealed.
The Court of Appeals reviewed the case de novo, meaning they reconsidered the trial court’s decision without deference to its findings. The appellate court noted that, while there were compelling arguments for recognizing the tort of intrusion into emotional solace, especially in the context of medical-record snooping, that recognition would need to come from the Supreme Court of Indiana or the state legislature. Accordingly, the court upheld the trial court’s decision not to recognize this tort.
But as to the tort of IIED, the appellate court found that this claim should have proceeded in the trial court. It found that this tort does not necessarily require the defendant to have intended to cause emotional distress, but it was enough that the defendant doctor acted recklessly. The court found that because there were genuine issues of material fact regarding whether the doctor’s actions amounted to reckless infliction of emotional distress, summary judgment should not have been granted.
As to the plaintiffs’ attempts to hold the hospital liable, the appellate court found that despite the hospital’s policies prohibiting personal use of patient records, there were genuine issues of material fact about whether the doctor’s actions were within the scope of his employment, and summary judgment should not have been granted on this claim either.
The appellate court affirmed the trial court’s rulings in part, reversed them in part, and remanded the case back to the trial court. It agreed with the trial court on the non-recognition of intrusion into emotional solace but found that the issues surrounding IIED and the scope of employment warranted further examination.
What this means for you: This case highlights the complexities of tort law and employer liability in the evolving realm of privacy breaches in healthcare settings. It underscores the necessity for medical institutions to enforce stringent monitoring and compliance mechanisms to protect patient privacy effectively.
The court’s decision to grant or deny summary judgment hinged on whether there were genuine issues of material fact regarding the plaintiffs’ claims. Summary judgment is appropriate when there is no dispute over the material facts and the moving party is entitled to judgment as a matter of law. In this case, the court found that there were genuine issues of material fact regarding whether the doctor’s actions were within the scope of his employment and whether they constituted IIED. This decision underscores the importance of factual disputes in determining the outcome of legal claims, especially in complex cases involving multiple legal theories and significant evidence.
One of the core issues in this case revolves around whether the doctor’s unauthorized access to patient records fell within the scope of his employment, which could make the employer vicariously liable under the doctrine of respondeat superior. This doctrine, which translates to “let the master answer,” holds employers liable for the actions of their employees if those actions are performed within the scope of employment.
For the employer to be held liable, the employee’s misconduct must occur within the scope of employment. Courts look at several factors to determine if an employee’s actions are within the scope of employment. These factors include the employer’s control over the employee’s access to records, the employee’s understanding of their rights to record access, and the adequacy of the employer’s monitoring and regulatory systems for record access. Relying on another case, the court here found that unauthorized conduct might still fall within the scope of employment if it naturally or predictably arises from authorized activities. The court noted that the hospital had extensive control over the doctor’s access to patient records, and the lack of sufficient monitoring systems allowed his unauthorized access to go undetected for an extended period. That was enough for the appellate court to reverse the trial court’s grant of summary judgment on this issue.
Another critical aspect of the case is the claim for IIED. The plaintiffs needed to prove that the doctor’s actions were intentional or reckless and that they caused severe emotional distress to the patients. Indiana law acknowledges that recklessness can suffice for an IIED claim, meaning that deliberate disregard for the high probability of causing emotional distress is enough to hold someone liable. The court examined whether the doctor’s actions met this threshold. It found that, because the doctor admitted that accessing the plaintiffs’ records was unauthorized and inappropriate, that may be enough to find that the doctor acted recklessly. The appellate court’s decision may have opened the gate to torts for emotional distress in the context of privacy breaches.
The case also underscores the importance of privacy and security measures in healthcare settings. The Health Insurance Portability and Accountability Act (HIPAA) mandates stringent protections for patient information. The doctor’s unauthorized access to patient records violated HIPAA provisions, and the hospital’s failure to prevent and promptly address this breach highlights the need for effective internal controls and monitoring systems. The plaintiffs argued that the hospital should have done more to monitor the doctor’s access to patient records, especially after receiving a complaint from one of the patients. This suggests that healthcare providers must not only implement but also actively enforce policies and procedures to protect patient data. It is not enough to have a policy. Hospitals must actually monitor and enforce the policy. The hospital’s failure to investigate complaints and enforce access controls may expose it to significant legal and financial liability.
Finally, and as a related point, healthcare organizations have a responsibility to provide annual education to all employees, physicians, and contracted personnel on compliance issues, including but not limited to HIPAA, harassment, Stark and other anti-kickback laws, and more. Evidence of successful participation in compliance education programs should be available in personnel files for all staff. This evidence can mitigate possible liabilities for healthcare organizations as well as staff should noncompliance accusations or grievances occur.
Reference
- Decided on June 5, 2024, in the Court of Appeals of Indiana, Case No. 24A-CT-47.
The Court of Appeals of Indiana recently revived a case involving significant allegations of breaches of privacy and professional misconduct against a doctor and hospital group.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.