Sheldon v. Kettering Health Network – Aug. 2015 (Summary)

HIPAA – HEALTH INFORMATION PRIVACY

Sheldon v. Kettering Health Network, No. 26432 (Ohio Ct. App. Aug. 14, 2015)

fulltextThe Court of Appeals of Ohio affirmed a lower court’s dismissal of tort claims, including invasion of privacy, negligence, negligence per se, negligent training, negligent supervision, intentional infliction of emotional distress, and breach of fiduciary duty, all of which were based on alleged violations of the federal Health Insurance Portability and Accountability Act (“HIPAA”). The litigation involved claims made by a patient that a health network had failed to protect the privacy of her electronic medical information, which was based on allegations that the administrator of the health network, who was the patient’s former husband, had improperly accessed and disclosed her protected health information to a subordinate network employee with whom he was alleged to be having an affair. The patient claimed that had the network been running and monitoring appropriate electronic record audits, the breaches could have been prevented or minimized.

The health network argued that HIPAA does not provide a private right of action, therefore, as a matter of law, the patient could not assert her common law tort claims, all of which essentially alleged HIPAA violations. The court agreed that the unauthorized access was a HIPAA-based claim and held that allowing such a claim to proceed against the network based on claims that the network failed to take reasonable steps allegedly required under HIPAA to protect her health information and detect the breaches at issue would effectively allow an unlawful private action for damages predicated on HIPAA requirements. The court also found that the network could not be found vicariously liable for the administrator’s intentional and unauthorized access of the records for purposes of furthering his affair, as it was not conduct of the kind which he was authorized to perform or which was actuated, at least in part, to serve the purposes of his employer, the health network.