Liability of Hospitals under the Law of Contract and Law of Torts
1. The Charm City Hospital (CCH) received the subpoena for 450patient records due to a doctor, Dr. Wyst who worked with the hospital 10 years ago. There has been certain malpractices that has been proved against the doctor and there has been a breach of data security as well, done by a volunteer of Neonatal Intensive Care Unit of the same hospital. The IT department of the hospital has failed to consult the legal counsel or any other department for the interpretation of the subpoena or for other legal assistance. It has been reluctant toward the subpoena and has not taken any necessary steps against the volunteer who disclosed the hospital’s confidential information about patients, which is a criminal offence.
Under the Law of Contract, when a patient shares his/her personal and medical details with a hospital or other medical concern, such medical concern becomes bound to preserve and protect such information and treat it with utmost confidentiality. In case such data is divulged or misused, it would about to a severe breach of contract and the victim would be liable to sue such medical concern for damages.
Under Law of Torts, in case an employee of the hospital leaks confidential information pertaining to the patients’ identity, address, email id, medical history and etcetera, the hospital would be held liable under the principle of Vicarious Liability. The principle of vicarious liability would direct the employer to carry the burden of liability of tort committed by its employee. The theory of ‘Respondeat Superior’ would be applicable in such case and the superior in position would be held responsible for the wrongful act of its subordinate. While, when an employee or a department of a hospital fails to carry out its duties that authorizes it to adhere to subpoenas and legal proceedings,it lead to Corporate Negligence.In such case, the hospital would be held liable for such misconduct or omission of duty by its employees.
In the United States of America, medical information are guarded and regulated by The Health Insurance Portability and Accountability Act (HIPAA). It is applicable to medical care provides, pharmacies, data processors and other entities associated with handling of medical data and information. While, The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) is applied to the gathering and utilization of Protected Health Information (PHI). The standards for the protection of medical data is laid down in The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule). While the electronic transmission of medical data is dealt by the Standards for Electronic Transactions (HIPAA Transactions Rule). These rules were revised and consolidated under the HIPAA “Omnibus Rule”.The Security Breach Notification Rule, also revised by the HIPAA Omnibus Rule, makes the entities liable to provide a notice of breach of PHI. As per the Omnibus Rule, an entity is liable to provide the information regarding the acquisition, access, usage and divulgence of Protect Health Information in a way, which is unauthorized and unlawful under the privacy rule. The entity must have strong supportive evidence against the notice of divulgence of confidential data to a party who has no capacity to hold it.
HIPAA Regulations and Security Breach Notification Rule
In the given case, the IT department has shown reluctance towards the subpoenareceivedfor a case against an ex doctor who left the hospital 10 years ago. Although the IT department pulled out information regarding all the patients and old records on its own discretion and let the legal counsel of the hospital know about the subpoena, yet it did not care to take legal counsel from the matter. It can be held as a negligence of duty on the IT department’s part and it should be show-caused by the higher management. On the other hand, a hospital system must handle a subpoena with minute attention, must consult with the legal counsel regarding it, and must take official action at the earliest.
The hospital volunteer of the Neonatal Intensive Care Unit has breached his term of employment severely and must be prosecuted. He had no official capacity to get hold of the data of patients and their confidential information. The hospital mist bring in charged against the volunteer. While, the hospital itself would be held responsible for the wrongful act of its employee under the principle of vicarious liability. The hospital would be charged with heavy compensation for invasion of privacy and private information of patients.
Chris Jones, the victim whose personal details was sent over email to Dr. Wyst by the volunteer would be eligible to sue the hospital and the volunteer severally. Jones would sue the hospital on the ground of vicarious liability possessed by the hospital, as it is the authorized body that held his personal information. The hospital was bound to preserve and protect his identity, address and confidential medical history from being divulged to unauthorized person. The hospital has failed to carry out its duty to protect his privacy. Therefore, it would be charged under HIPAA and would be liable to pay damages to the victim. On the other hand, the volunteer would also be held liable for invasion of privacy as well as defamation for conveying such slanderous messages over email about Jones, which constitutes Libel under the law of tort.
2. It has to be determined in this case, that the liability for the improper disclosure of the enrolees PHI lies within which authority. To understand the legal basis for this decision, the U.S. Code needs to be analysed. § 6103 of the 26 U.S Code provides that no employee or officer of the States, who is receiving an information, or has access to such information, should not disclose such information. Such a person, shall not make any unauthorised disclosure of such information obtained by him, during a manner which is connected to his service as an employee. Section 7213 of the 26 United States Code has provided that, it would be treated as unlawful for an employee or an officer of the United States, who makes disclosure of any information, wilfully to a person, who is not authorised in the title. A person who makes a violation of this rule, shall be punished upon conviction by fines of an amount that is not exceeding $5000, or a sentence of imprisonment not exceeding the term of 5 years, or both. It further stated that any such accused employee or officer shall be dismissed form his employment who has been convicted upon such an offense. A company which is handling with the data of public, which has to be kept secured,is responsible for any occurrence if the data has been misused or disclosed without proper authorisation. In the case of Eerrapin Ltd v Builders Supply Co ( Hayes) Ltd, it was observed that in any situation, a claim against a breach of confidentiality can be made, where it can be proved that confidential information of the company or of individual, has been shared or used by an employee. There is no need to have a specific contract, where the nature of the company is that to protect the confidentiality of data provided to them. The Federal Trade Commission Act (15 U.S.C. subsection 41-58) prohibits and penalises an action of the company, which fails to provide the required privacy and makes unauthorised disclosure of personal information. As per the verdict of the case, N.X. v Cabrini Medical Center, 97 NY2d 247, 252-253 [2002], the employer shall be liable for the tortious act of his employee if the act was committed during the scope of his employment.
Importance of Handling a Subpoena with Care
In this case, the NoSecure shall be liable for the act of their employee who made an unauthorised and improper disclosure of the enrolees PHI. NoSecure was under the obligation to ensure protection to the protected health information, given to them. Their work was to make the PHI accessible to ensure the protection of data. The act of the employee of disclosing confidential information makes NoSecure liable for the breach of confidentiality. The company, NoSecure was under the obligation to ensure safety to the data, and consequently, the unauthorised disclosure of the data makes the entity liable under the said section of the Code. Hence, NoSecure shall be liable for the situation, which has been resulted from the act of their employee.
The issue is to determine whether Birdland’s Medicaid agency, Neversafe and NoSecurecan take an action for the improper disclosure of the enrolees’ personal health information. For the purpose of determining this issue, the consequences for breach of confidentiality by an employee must be discussed. Breach of confidentialityis a serious offence for an employee of a company that deals with the information and data of public. A breach of confidentiality constitutes a breach of the contract of the employee with his company.
In this case, the first and foremost consequences that could arise out of the act of Pitch McRye for making unauthorised disclosure of the confidential information of the personal health of public that the company he used to work in, is the termination of McRye. His company NoSecure deals with, is termination. Birdland’s Medicaid Agency, Neversafe, and NoSecure can successfully sue the employee, McRye, for his conduct. McRye can be sued for committing breach of his duty to safeguard the PHI. In the case of Doe v Guthrie Clinic, Ltd 2014 NY Slip Op 00138, it was held that the liability of the company or organisation shall reside within them only if the risk are reasonably foreseeable by the employer. In this case, the risk of disclosing confidential information of the company by the employee was not reasonably foreseeable by NoSecure, hence McRye can sued for his action by NoSecure. In an extreme situation, a breach of confidentiality can be treated as a criminal offense and charges of theft of the proprietary information of the company can be brought against him. In this case, Pitch McRye posted the information of almost 500,000 enrolees out of a malaise intention and a target of taking revenge. Thus, Birdland and Neversafe can sue McRye for violating the rules and publishing the PHIs, as he was obliged to protect them and refrain from making any publication of information. Out of his conduct it is evident that McRye shall be liable not only for causing the breach of confidentiality but also for committing theft. Hence, Medicaid, Neversafe and NoSecure can claim punitive damage for the alleged breach of confidentiality, as well as, they can make Pitch McRye liable for theft of information.
Cases
Doe v Guthrie Clinic, Ltd 2014 NY Slip Op 00138
Eerrapin Ltd v Builders Supply Co ( Hayes) Ltd
N.X. v Cabrini Medical Center, 97 NY2d 247, 252-253 [2002]
Statutes
The Federal Trade Commission Act
26 United States Code
Journals
Da Veiga, Adéle, and Nico Martins. “Information security culture and information protection culture: A validated assessment instrument.” Computer Law & Security Review31.2 (2015): 243-256.
Hannah, David R., and Kirsten Robertson. “Why and how do employees break and bend confidential information protection rules?.” Journal of Management Studies 52.3 (2015): 381-413.
Rancourt, Stephen J. “Hacking, Theft, and Corporate Negligence: Making the Case for Mandatory Encryption of Personal Information.” Tex. Wesleyan L. Rev. 18 (2011): 183.
Singh, MadhavMadhusudan, Rajiv K. Agarwal, and Pranav Choudhary. “VICARIOUS LIABILITY IN HEALTHCARE: A MEDICO LEGAL VIEW.” INTERNATIONAL JOURNAL OF SCIENTIFIC RESEARCH 7.1 (2018).
‘Standards For Privacy Of Individually Identifiable Health Information’ (ASPE, 2018) <https://aspe.hhs.gov/standards-privacy-individually-identifiable-health-information> accessed 13 October 2018
‘Summary Of The HIPAA Privacy Rule’ (HHS.gov, 2018) <https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html> accessed 13 October 2018
Van Deursen, Nicole, William J. Buchanan, and Alistair Duff. “Monitoring information security risks within health care.” computers & security 37 (2013): 31-45.
‘What Is HIPAA’ (Dhcs.ca.gov, 2018) <https://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx> accessed 13 October 2018
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
