The Empty Promise of Patient Confidentiality
Once again, a major Boston hospital has successfully avoided liability for what goes on within its walls. This time, Brigham & Women’s Hospital has successfully convinced a Superior Court judge that it is not responsible when its employees disclose personal medical information about a patient in violation of federal law.
The patient’s lawsuit against the hospital is hanging on by a thread—only because the medical information concerns her HIV-positive status. Superior Court Judge Edward Leibensperger ruled that a special statute makes health care facilities automatically liable for the disclosure of information about a patient’s HIV status, but that the wrongful dissemination of other types of medical information is generally not the hospital’s responsibility.
Bryant v. Jackson involved the plaintiff’s claim that a Brigham & Women’s employee had wrongfully accessed her personal medical information, which included the fact that she was HIV-positive, and then conveyed that information to a mutual friend. She sued the hospital and its employee for the wrongful disclosure of her protected health information. Applying the ordinary law of agency to determine whether Brigham & Women’s could be held vicariously liable for the wrongful acts of an employee, Judge Leibensperger held that the plaintiff needed to show that the employee’s wrongful conduct occurred in the scope of her employment with the hospital, and that her wrongful conduct was motivated, at least in part, by a purpose to serve the employer.
As to the claim that the plaintiff’s medical record had been improperly accessed, the court found that, because the defendant’s job arguably required access to the medical record, both the scope of employment and the purpose to serve tests had been met. Thus, if the plaintiff could prove damages related to the access alone, she might recover. But as to the more substantial and serious claim, that the defendant employee had wrongfully told friends of the plaintiff about her medical condition, the court found that there was no motivation to serve the employer, and thus the employer could not be responsible.
Judge Liebensperger’s application of the law, while quite restrictive and narrow, is at least arguably correct. However, the result is quite disturbing for patient advocates, and should prompt a close reexamination by the courts and the legislature. Hospitals and other health care providers are subject to strict federal and state laws regarding the confidentiality of their patients’ medical information. Yet these laws mean little if a patient has no remedy for a violation. In most cases, the employee who accessed and disseminated the information is unlikely to be financially capable of satisfying a judgment. But under Judge Liebensperger’s analysis, the hospital will almost never be responsible for the disclosure, as most unauthorized accesses and disclosures are motivated by the employee’s personal interests or curiosity, and not by a desire to serve the hospital’s interests.
And that’s bad public policy. The hospital puts its patients’ most personal medical information in the hands of its employees, and it is in the best position to make sure that that information is accessed only by those with a need to know, and that employees are mindful of the consequences of disclosure. If the hospital bears no responsibility for a disclosure, it has little incentive to make sure disclosures don’t happen. Patients deserve better when they put their trust in a medical facility.