Home » Publications » Alerts » Health Clinic Not Liable for Breach of Patient Confidentiality

To download a printer-friendly copy of the Alert, please click here.

If you have any questions about HIPAA or other health insurance privacy rules, please contact Robert W. Patterson 716.843.3910 rpatterson@jaeckle.com, or Lauren A. Fish 716.843.3855 lfish@jaeckle.com.

New York's highest court recently ruled that a health clinic was not liable for the unauthorized disclosure of a patient's medical information by a clinic nurse. The Court held that, since the nurse did not act in furtherance of the clinic's business and within the scope of her employment, the clinic was not liable for her actions. Nevertheless, the facts in this case were fairly unusual and liability for breaches of protected health information remains a serious risk for health care providers.  


Health care providers in New York are subject to  many different laws and regulations relating to their patients' health information and privacy rights, including several laws that impose penalties for wrongful disclosures of such information. The HIPAA privacy and security rules under Federal law are the most well-known, but New York State has also enacted laws that deal specifically with psychiatric records[1] and HIV treatments,[2] and the state hospital code includes privacy rules that apply to New York hospitals.[3] In addition, New York courts have developed many different "common law" doctrines under which health care providers can be held liable for a wrongful disclosure of confidential medical information.

Many of these New York State laws and rules were discussed in a recent case that was characterized by what could fairly be called unusual facts. A man sought treatment for a sexually transmitted disease (STD) at a New York health clinic. A clinic nurse, who happened to be the sister-in-law of the man's girlfriend, saw him there and learned of his condition by accessing the clinic's medical records. The nurse promptly (while the man was still in the clinic waiting room) texted the girlfriend that the man had tested positive for an STD — clearly violating the privacy of his health information.

After the man complained of the wrongful disclosure to clinic officials, the nurse was fired. Nevertheless the man sued the clinic in Federal court, claiming that the clinic was liable for the wrongful disclosure under a variety of legal theories, including breach of fiduciary duty, breach of contract, negligent hiring, negligent infliction of emotional distress, and violation of several different New York statutes.

Note: The plaintiff apparently did not make claims under HIPAA. Presumably this was because there is no private right of action under HIPAA. HIPAA is enforced by the Office of Civil Rights within the Health and Human Services Department.  (See last paragraph of this Alert.)

The Federal district court dismissed all of the claims against the clinic in 2012.[4] In sending the text messages the nurse had acted outside the scope of her employment and for personal reasons, the court held. Thus, the legal doctrine click to read more...



[1] Mental Hygiene Law section 33.13.

[2] Pub. Health Law sections 2782-2784.

[3] 10 NYCRR section 405.10.

[4] Doe v. Guthrie Clinic, Ltd., 2012 U.S. Dist. LEXIS 20507 (W.D.N.Y. 2012).

This Jaeckle Health Care Alert, prepared by the attorneys at Jaeckle Fleischmann & Mugel, LLP, is intended for general information purposes only and should not be considered legal advice or an opinion on specific facts. For more information on these issues, contact one of the attorneys listed above or your existing Firm contact. Prior results do not guarantee a similar outcome. The invitation to contact is not a solicitation for legal work in any jurisdiction in which the contacted attorney is not admitted to practice. Any attorney/client relationship must be confirmed in writing. 

Copyright 2014.  All Rights Reserved.  Jaeckle Fleischmann & Mugel, LLP.   Buffalo, NY.