Lexplug logoLexplug

Sheldon v. Kettering Health Network

Ohio Court of Appeals
2015 Ohio 3268 (2015)
ELI5:

Rule of Law:

HIPAA does not create a private right of action, nor can its administrative rules generally serve as a direct standard of care for common-law negligence per se claims; furthermore, an employer is not vicariously liable under respondeat superior for an employee's intentional torts committed solely for personal reasons and not to promote the employer's business, and a hospital's failure to detect an employee's unauthorized access to records does not constitute 'disclosure' under Ohio's common-law breach of confidentiality tort.


Facts:

  • Vicki Sheldon, Haley Dercola, and T.D. (Haley Dercola's minor child) were patients of Kettering Health Network (KHN).
  • KHN utilized an electronic medical information system called 'EPIC' and generated 'CLARITY' reports to safeguard patient data and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA).
  • Duane Sheldon, a KHN administrator and Vicki Sheldon's former spouse, possessed access to the EPIC system but was not authorized to view the plaintiffs' specific health records.
  • Over at least 15 months, Duane Sheldon improperly accessed the sensitive medical information of Vicki Sheldon, Haley Dercola, and T.D. on multiple occasions.
  • Duane Sheldon shared Vicki Sheldon's accessed medical information with his paramour, a subordinate KHN employee, to further an extramarital affair.
  • Duane Sheldon and other parties in his department allegedly created one or more fictitious names to improperly access protected health information.
  • KHN allegedly failed to implement reasonable measures, such as regularly running and monitoring CLARITY reports, to detect Duane Sheldon's unauthorized access.
  • KHN eventually notified the plaintiffs of the breaches but refused to provide the requested CLARITY reports, instead offering an inadequate 'Homegrown' report containing allegedly false information.

Procedural Posture:

  • Vicki Sheldon, Haley Dercola, and T.D. (through Haley Dercola as parent/guardian) filed a complaint against Kettering Health Network (KHN) and Duane Sheldon in the Common Pleas Court (trial court).
  • The complaint asserted common-law tort claims including invasion of privacy, negligence, negligence per se, negligent training, negligent supervision, intentional infliction of emotional distress, and breach of fiduciary duty, as well as claims under the Fair Credit Reporting Act and Fair Debt Collection Practices Act (the latter two were later voluntarily dismissed).
  • Duane Sheldon filed a Civ.R. 12(B)(6) motion to dismiss, which the trial court denied.
  • KHN filed a Civ.R. 12(B)(6) motion to dismiss, arguing the common-law claims were 'HIPAA-based' and thus impermissible, and alternatively, that some claims were insufficiently pled.
  • Plaintiffs filed a motion for leave to file a first amended complaint, seeking to clarify their claims were not under HIPAA but were common-law torts using HIPAA as a standard of care.
  • The trial court granted KHN's Civ.R. 12(B)(6) motion, dismissing all of plaintiffs' common-law tort claims on the grounds that they were 'HIPAA-based' and HIPAA does not provide a private right of action.
  • The trial court subsequently dismissed the plaintiffs' motion for leave to amend their complaint as moot.
  • Plaintiffs then voluntarily dismissed their claims against Duane Sheldon.
  • Vicki Sheldon and Haley Dercola appealed the trial court's dismissal of their common-law claims against KHN to the Court of Appeals of Ohio, Second Appellate District.

Locked

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Can plaintiffs assert common-law tort claims (such as negligence or breach of confidentiality) against a healthcare provider for its alleged failure to prevent an employee's unauthorized access and disclosure of private medical information, where such claims are 'HIPAA-based' and HIPAA itself provides no private right of action, and can the employer be held vicariously liable for the employee's intentional, personal torts?


Opinions:

Majority - Hall, J.

No, plaintiffs cannot assert common-law tort claims against KHN predicated on HIPAA requirements for either direct negligence or respondeat superior, nor does KHN's alleged negligent failure to detect unauthorized access to medical records constitute 'disclosure' under Ohio's common law tort of breach of confidentiality. For an employer to be held liable under respondeat superior for an employee's intentional tort, the employee's actions must be 'calculated to facilitate or promote the business for which the servant was employed.' Duane Sheldon's conduct of accessing and sharing records for personal reasons (an affair) and creating fictitious names was an independent, self-serving act that did not serve KHN's business, thus precluding respondeat superior liability. The court affirmed that HIPAA itself does not provide a private right of action, and allowing its regulations to define per se duty and liability for breach in common-law claims would effectively create such a prohibited private action. Furthermore, under Ohio law, the violation of an administrative rule (like HIPAA regulations) does not constitute negligence per se, but may only serve as evidence of negligence. Critically, the HIPAA regulations concerning information system activity do not provide a 'positive and definite standard of care' regarding the frequency of auditing, making them insufficient to support negligence per se. While Ohio's common-law tort for 'unauthorized, unprivileged disclosure to a third party of nonpublic medical information' (known as a Biddle claim) is not preempted by HIPAA and remains viable, the plaintiffs' allegations against KHN (failure to detect an employee's unauthorized access) do not constitute 'disclosure' as required by Biddle, which typically involves active or intentional disclosure by the hospital. Other common-law claims such as invasion of privacy (wrongful intrusion) and intentional infliction of emotional distress require intentional misconduct on the part of KHN, which was not alleged, and respondeat superior was found inapplicable. Claims for negligent training and negligent supervision also failed because the only alleged basis for KHN's constructive knowledge of Duane Sheldon's incompetence was its failure to monitor HIPAA-required reports, which the court deemed 'definitively HIPAA-based' and thus prohibited as a vehicle for a private action for damages. The court concluded that the plaintiffs' proposed amended complaint would have been futile as it did not remedy these fundamental deficiencies.


Concurring - Donovan, J., and Welbaum, J.

Donovan, J., and Welbaum, J., concurred in the judgment of the majority.



Analysis:

This case significantly limits the avenues for plaintiffs to seek recourse against healthcare providers for privacy breaches caused by employees' personal misconduct. It clarifies that courts will rigorously prevent attempts to circumvent HIPAA's lack of a private right of action by re-framing HIPAA violations as common-law torts. The ruling also tightens the application of respondeat superior in Ohio, emphasizing that an employee's intentional torts must genuinely benefit the employer's business for liability to attach. Additionally, it narrowly interprets what constitutes 'disclosure' under Ohio's common-law tort of breach of confidentiality, requiring more than just a failure to detect unauthorized access, thereby setting a high bar for direct hospital liability in such scenarios. This decision underscores the need for plaintiffs to clearly establish independent common-law duties and breaches that are not merely 'HIPAA-based' allegations.

🤖 Gunnerbot:
Query Sheldon v. Kettering Health Network (2015) directly. You can ask questions about any aspect of the case. If it's in the case, Gunnerbot will know.
Locked
Subscribe to Lexplug to chat with the Gunnerbot about this case.