Organizations and individuals that handle “protected health information” (PHI) face high standards imposed by both federal and state law.(1) This week, we consider steps health care industry employers can take to reduce the risk of liability when an employee accesses and/or discloses PHI without authorization. Such situations could arise when a curious employee with access to patient records decides to look up the test results of a sick friend or discover why a local celebrity landed in the emergency room over the weekend.

In Wisconsin there are several potential negligence claims against a healthcare provider whose employee accesses and discloses PHI.(2) These claims include vicarious liability, when an employer is held responsible for the acts or omissions of an employee acting within the scope of employment, and negligent hiring, training and supervision. When either type of claim arises, an employer's written confidentiality policies, training programs and hiring procedures inevitably become the subject of intense scrutiny. Evidence of clearly explained policies, thorough training and careful hiring can make or break an employer's defense.

Before litigation ever commences, there are proactive steps every health care employer can consider taking.

• Stay alert during the hiring process for anything in a potential employee's background that could support a future inference that the employer should not have trusted that individual with confidential information. Consider asking job candidates whether they have ever been audited or disciplined by a prior employer for unauthorized disclosures of PHI.

• Develop and distribute to employees a clear confidentiality policy regarding PHI. At a minimum, the policy should state that records and related information should be protected, and they should not be accessed, altered, reviewed, shared, or discussed, except as required by business responsibilities. Each employee should read and sign the policy at time of hire.

• Make training on confidentiality and legitimate business requirements for accessing patient records part of the employee orientation program, and provide additional training on a periodic basis, especially if there are changes to internal information systems or in federal or state rules. Document which employees have received training or education and when each employee received it.

• Provide employees with an annual refresher on the confidentiality policy. Consider requiring that employees sign a document indicating that they reviewed the confidentiality policy as a routine part of their annual employee performance review process.

• Implement audit procedures to monitor employee access to PHI and/or limit PHI access to only those employees who are involved with that patient's care.

All of the above suggestions are presented with the caveat that written policies, training, documentation, and structural safeguards can only go so far. Moreover, not all measures proposed may be feasible in every situation. The bottom line is that nothing can stop an employee who is so inclined from improperly disclosing PHI of patients that the employee was directly involved in treating. Nonetheless, each proposed measure holds some value for reducing risk and serving the primary goal of maintaining the confidentiality of PHI.

If an employee privacy breach does occur, a health care provider will have the strongest defenses to a vicarious liability claim when the breaching employee's actions were demonstrably intentional and thus outside the scope of employment. Evidence of written policies and employee training in the area of patient confidentiality can provide strong support for the dismissal of a vicarious liability claim as a matter of law.

For example, Korntved v. Advanced Healthcare, S.C., stresses the importance of the written policy in any scope of employment inquiry. 2005 WI App 197, 286 Wis. 2d 499, 704 N.W.2d 597. In that case, a lab technician accessed the medical records of her husband's family members and disclosed those records to her husband. The court held that the employer's written policy signed by the employee, among other factors, showed that the employee had acted outside the scope of employment in accessing and disclosing the records. Id., at ¶¶ 5, 13-14 and fn. 6.

What happens when a health care employer's proactive measures fail, litigation ensues and a plaintiff succeeds in proving an employer's negligence? It is worth noting that, even then, Wisconsin courts may invoke certain public policy considerations and refuse to impose liability on the negligent party. See Sigler v. Kobinsky, 2008 WI App 183, ¶ 10, 314 Wis. 2d 784, 762 N.W.2d 706. Among the six commonly cited public policies are assertions that allowing recovery would place too unreasonable a burden upon the tortfeasor or that allowing recovery would have no sensible or just stopping point. Sigler, ¶ 12.

The importance of safeguarding PHI notwithstanding, a health care employer facing negligence claims related to the privacy breaches of an employee may have compelling arguments that employers need not play the role of guarantor or insurer of their employees' conduct. Such arguments will resonate most strongly when the employer has already taken care to implement an array of measures to establish privacy policies and educate its employees on the existence of those policies and the consequences of violating them.

1. See 45 CFR 160.103 for a definition of PHI, and, more generally, 45 C.F.R. §§ 160-64, for the HIPAA “Privacy Rule” and the HITECH expansion, codified at 42 U.S.C. § 17930, et seq. HIPAA is the minimum standard for patient privacy. Wisconsin's law on the confidentiality of patient health care records is found at Wis. Stat. § 146.82. It applies to “any person,” as opposed to HIPAA's application to “covered entities” and “business associates.”
2. HIPAA violations may result in civil and criminal penalties for health care providers under federal law; however, HIPAA does not create an individual private right of action. Individual plaintiffs may therefore attempt to prove in state courts that a HIPAA violation constitutes negligence per se.

If you have further questions about protecting against health care employee privacy breaches, please contact us at (608) 662-1180.

This news update is designed to provide general, educational information on pertinent legal topics, and the statements therein do not constitute legal advice. This news update is not intended to create an attorney-client relationship between you and Corneille Law Group, LLC. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.