Summary
holding HIPAA does not preempt an independent tort claim for disclosure of private medical information by a physician or hospital
Summary of this case from Guy v. Providence Health & Servs. Wash.Opinion
No. 26432.
08-14-2015
Robert F. Croskery, Croskery Law Offices, Cincinnati, OH, for Plaintiffs–Appellants, Vicki Sheldon, T.D., and Haley Dercola. Doreen Canton, Evan T. Priestle, Taft Stettinius & Hollister LLP, Cincinnati, OH, for Defendant–Appellee, Kettering Adventist Healthcare. J. Steven Justice, Glen McMurry, Troy, OH, for Defendant–Appellee, Duane Sheldon.
Robert F. Croskery, Croskery Law Offices, Cincinnati, OH, for Plaintiffs–Appellants, Vicki Sheldon, T.D., and Haley Dercola.
Doreen Canton, Evan T. Priestle, Taft Stettinius & Hollister LLP, Cincinnati, OH, for Defendant–Appellee, Kettering Adventist Healthcare.
J. Steven Justice, Glen McMurry, Troy, OH, for Defendant–Appellee, Duane Sheldon.
OPINION
HALL, J.
{¶ 1} Plaintiffs-appellants Vicki Sheldon and Haley Dercola appeal from the trial court's Civ.R. 12(B)(6) dismissal of their complaint against defendant-appellee Kettering Adventist Healthcare d/b/a Kettering Health Network (“KHN”). The complaint alleged common-law tort claims for invasion of privacy, negligence, negligence per se, negligent training, negligent supervision, intentional infliction of emotional distress, and breach of fiduciary duty. The claims stemmed from KHN's alleged failure to protect the privacy of the plaintiffs' electronic medical information and the improper accessing and disclosure of that information by KHN administrator Duane Sheldon, the former spouse of Vicki Sheldon.
Dercola filed suit in her own name and as parent and legal guardian of her minor child, T.D. In addition to KHN, the complaint named Sheldon's former husband, Duane Sheldon, as a defendant. The claims against Duane Sheldon were voluntarily dismissed, however, after the trial court granted KHN's Civ.R. 12(B)(6) motion.
The complaint also alleged violations of the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. Those claims were voluntarily dismissed below and are not at issue on appeal.
{¶ 2} KHN responded to the complaint by seeking dismissal under Civ.R. 12(B)(6). In support, KHN argued that each of the tort claims was based on alleged violations of the federal Health Insurance Portability and Accountability Act (“HIPAA”). KHN noted that HIPAA did not provide a private right of action to enforce its terms. Therefore, KHN reasoned that the plaintiffs could not assert common-law tort claims essentially alleging HIPAA violations. KHN argued that the “[p]laintiffs should not be permitted to circumvent the bar on private enforcement of HIPAA violations by merely masking alleged HIPAA violations as common-law torts.” (Doc. # 14 at 9). Alternatively, KHN argued that the plaintiffs had failed to plead facts establishing the elements for their alleged claims for invasion of privacy, negligent training, negligent supervision, and intentional infliction of emotional distress. The plaintiffs responded by arguing, among other things, that nothing prohibited them from “pursuing common law claims based on violations of their privacy just because such claims overlap with HIPAA violations.” (Doc. # 18 at 2). They also asserted that their tort claims had been pled sufficiently. (Id. at 8–13). The plaintiffs additionally moved for leave to file a first amended complaint, seeking to clarify that they were alleging tortious conduct apart from HIPAA. (Doc. # 27).
{¶ 3} The trial court sustained KHN's Civ.R. 12(B)(6) motion in an October 21, 2014 decision and entry. (Doc. # 32). After reviewing the plaintiffs' complaint, the trial court concluded that each of their tort claims was based on an alleged HIPAA violation. Because HIPAA does not provide a private right of action, the trial court concluded that the plaintiffs could not state a claim for relief. (Id. ). The decision did not address KHN's alternative arguments to dismiss some of plaintiff's claims. The trial court's ruling also did not explicitly address the plaintiffs' motion for leave to amend their complaint. The trial court subsequently dismissed that motion, as moot, based on its sustaining of KHN's Civ.R. 12(B)(6) motion.
{¶ 4} In their first assignment of error, the plaintiffs contend the trial court erred in dismissing their common-law claims against KHN. While conceding that HIPAA itself does not provide a private right of action to enforce its terms, the plaintiffs insist that the statute also does not preclude their common-law tort claims, which, they argue, point to HIPAA and other sources for a standard of care. In response, KHN argues, as it did below, that the plaintiffs cannot maintain common-law tort claims based on, and resulting from, alleged HIPAA violations. In a second assignment of error, the plaintiffs contend the trial court erred in not allowing them to amend their complaint to make clear that they were not seeking recovery under HIPAA and that they were relying on the statute, at most, to establish a standard of care.
{¶ 5} We begin our review with the standards applicable to a Civ.R. 12(B)(6) motion. A motion to dismiss a complaint for failure to state a claim upon which relief can be granted, pursuant to Civ.R.12(B)(6), tests the sufficiency of a complaint. For a defendant to prevail, it must appear beyond doubt from the complaint that the plaintiff can prove no set of facts entitling him to relief. O'Brien v. University Community Tenants Union, Inc., 42 Ohio St.2d 242, 245, 327 N.E.2d 753 (1975). A court must construe the complaint in the light most favorable to the plaintiff, presume all of the factual allegations to be true, and make all reasonable inferences in the plaintiff's favor. Mitchell v. Lawson Milk Co., 40 Ohio St.3d 190, 192, 532 N.E.2d 753 (1988). We conduct a de novo review of a dismissal under Civ.R. 12(B)(6). Grover v. Bartsch, 170 Ohio App.3d 188, 2006-Ohio-6115, 866 N.E.2d 547, ¶ 16 (2d Dist.).
{¶ 6} With the foregoing standards in mind, we turn to the complaint in this case. It contains the following factual allegations:
6. Defendant KHN uses a system of software for storing, maintaining, accessing, and protecting electronic medical information. The system is known as “EPIC.” When properly used, the system protects medical information from being accessed by unapproved personnel to comply with the federal law Health Insurance Portability and Accountability Act, otherwise known as “HIPAA.”
7. The “EPIC” System uses reports to ensure that electronic medical information is safely protected and remains private. Through a series of reports, known as “CLARITY” reports, the hospital or authorized medical information custodian has the ability to ensure that records are not being improperly accessed through, but not limited to, the following reports: * * * [The complaint lists numerous different types of reports that allegedly can be produced to help detect possible security or privacy breaches]. The cumulative effect of the regular running and monitoring of these Epic Clarity reports is to detect and deter improper access. When routinely run and monitored, the Epic Clarity reports provide early detection of privacy breaches of EHRs.
8. Under the HIPAA Security Rule, a covered entity must identify and analyze potential risks to electronic private health information, and it must implement security measures that reduce risks and vulnerabilities to a reasonable level. Epic reports should be run and reviewed on a consistent and recurring basis, no less than monthly, and preferably weekly, in order to adequately monitor, ensure and protect the privacy of health information to meet the HIPAA Risk Analysis and Management Process. When used properly and effectively, EPIC Software and CLARITY Reports provide auditing and monitoring protection for electronic health information.
9. Defendant D. SHELDON, an administrator for KPN under the KHN, had access to the EPIC system but was not authorized to access the health records of the Plaintiffs. Defendant D. Sheldon improperly accessed the health records of Plaintiffs on multiple occasions over a period of at least 15 months, as Defendant KHN failed to take reasonable steps under EPIC and CLARITY to detect his unauthorized access or otherwise to protect such information.
10. Duane Sheldon, as administrator, commenced at least one extramarital affair with certain others in the Kettering Health Network. In order to enhance his affair, Duane Sheldon improperly accessed extremely sensitive medical information belonging to Vicki Sheldon, and shared such information with his paramour, who is an employee of KPN who reported to D. Sheldon.
11. In addition, upon information and belief, Duane Sheldon and other parties in his department created one or more fictitious names that do not represent real parties or real users of health information to improperly access protected health information.
12. These fictitious names accessed Plaintiffs' protected health information.
13. In addition, there were significant other breach incidents by D. SHELDON and his accomplices of Vicki Sheldon's protected health information, and also to the protected health information of H. DERCOLA and [T.D.].
14. The breach of such information would have been prevented (or greatly minimized) had Defendant KHN been taking the reasonable and normal steps to protect Plaintiff's health information by running weekly or at least monthly EPIC CLARITY reports, and monitoring those reports.
15. Defendant KHN eventually revealed to Plaintiffs that there had been multiple breaches of their private and protected health information, in violation of the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) however, when Plaintiffs requested proper information from the “EPIC” and “CLARITY” reports to examine the nature of the actual breaches, KHN refused to provide them. In fact, Plaintiffs, through counsel, on multiple occasions asked for copies of the “EPIC” reports, by name, that would have shown the exact nature of the privacy breaches, and Defendant refused to provide them and/or stated that such reports did not exist.
16. Instead, Defendant Kettering Health Network provided a “Homegrown” Report (a report designed by KHN employees to control what information to provide) that is inadequate, and then proceeded to provide false and malicious information regarding the parties that are listed on the “Homegrown” Report.
Although the complaint contains two additional paragraphs of factual allegations after paragraph sixteen, those allegations involve other causes of action that the plaintiffs voluntarily dismissed below.
{¶ 7} In short, paragraphs six through eight provide background factual information about KHN's use of the EPIC system and CLARITY reports to comply with HIPAA's security rule regarding the protection of electronic health information and the detection of breaches. Paragraph nine alleges that KHN administrator Duane Sheldon gained unauthorized access to plaintiffs' health records due to KHN's failure to take reasonable steps, under EPIC and CLARITY, to protect the information or detect his actions. Paragraph ten alleges that the information he “improperly accessed” was shared with a subordinate KHN employee with whom he was having an affair. Paragraphs eleven and twelve allege that he and others created “fictitious names that do not represent real parties,” which were used to improperly access health information. Paragraph thirteen alleges other breaches of plaintiffs' health information by Duane Sheldon. Paragraph fourteen alleges that the breaches would have been prevented or minimized if KHN had taken reasonable steps to protect the information by running and monitoring CLARITY reports. Paragraph fifteen alleges that KHN eventually disclosed the breaches to the plaintiffs but refused to provide them with pertinent CLARITY reports. Paragraph fifteen also mentions “the HITECH Act,” which amended HIPAA in 2009. Paragraph sixteen alleges that KHN provided the plaintiffs with a different, inadequate report prepared by KHN employees that contained false and malicious information.
{¶ 8} We discern at least two types of tortious activity alleged by the plaintiffs: (1) Duane Sheldon's intentional improper accessing and sharing of their health information and (2) KHN's alleged failure to take reasonable steps to protect that information and to detect Duane Sheldon's breaches. We note that the factual allegations about Duane Sheldon's conduct do not necessarily appear to depend on an alleged HIPAA violation. The statute is invoked only in connection with the plaintiffs' factual allegations about KHN failing to take reasonable steps to protect their health information and to detect his breaches. In particular, the plaintiffs allege that KHN failed to regularly run and monitor CLARITY reports, which they allege was required by HIPAA.
{¶ 9} Based on the foregoing allegations, the plaintiffs argue they asserted common-law causes of action against Duane Sheldon individually for invasion of privacy, negligence, intentional infliction of emotional distress, and breach of fiduciary duty. We agree with the trial court that the complaint fairly can be read as alleging common-law claims against Duane Sheldon for improperly accessing and sharing the plaintiffs' health information, regardless of HIPAA's prohibition to the contrary. The trial court reached the same conclusion in an October 21, 2014 decision and entry denying Duane Sheldon's Civ.R. 12(B)(6) motion to dismiss. (Doc. # 34).
We recognize that the plaintiffs voluntarily dismissed their claims against Duane Sheldon after the trial court granted KHN's Civ.R. 12(B)(6) motion. We nevertheless find a discussion of those claims pertinent to our analysis of KHN's Civ.R. 12(B)(6) motion and the plaintiffs' motion for leave to amend their complaint.
{¶ 10} An important issue for purposes of KHN's appeal is whether the plaintiffs are seeking to hold KHN liable on a respondeat-superior basis for Duane Sheldon's allegedly tortious actions. Although the original complaint is perhaps unclear, the plaintiffs clarified the uncertainty in their proposed amended complaint that they filed before the trial court granted KHN's Civ.R. 12(B)(6) motion. Therein, the plaintiffs proposed to allege that Duane Sheldon was a high-ranking administrator for KHN and added the allegation that “KHN is responsible for Defendant D. SHELDON's actions on the grounds of respondeat superior, as his access of the health information, although improper, was within the scope of his duties as a high level administrator at KHN.” (Doc. # 27, Plaintiffs' proposed first amended complaint at ¶ 20). We therefore generously construe the original complaint to mean that plaintiffs in fact are attempting to hold KHN vicariously liable for Duane Sheldon's actions, which allegedly constituted several torts. Consequently we must determine whether the allegation of respondeat-superior liability could survive dismissal under Civ.R. 12(B)(6). If so, the trial court should either have so construed the original complaint or permitted the plaintiffs' proposed amendment in that regard.
{¶ 11} The existing complaint alleges that Duane Sheldon, a KHN administrator, “was not authorized to access the health records of the Plaintiffs” and KHN failed to “detect his unauthorized access” (Complaint at ¶ 9). It also alleges that “Duane Sheldon improperly accessed extremely sensitive medical information” (Id. at ¶ 10) and shared that information with another KHN employee. He did this by creating “one or more fictitious names * * * to improperly access protected health information.” (Id. at ¶ 11). The complaint alleges that Sheldon's actions were “malicious and reckless.” (Id. at ¶ 22). The proposed amended complaint, which expands on the respondeat superior allegation, contains the same language as in the original and additionally alleges that Duane Sheldon violated the plaintiffs' privacy by “wrongfully intruding into [plaintiffs'] records and wrongfully publishing such information to third parties.” (Proposed Amended Comp. at ¶ 22). The plaintiffs' clarification also alleges that “his access of the health information, although improper, was within the scope of his duties as a high level administrator at KHN.” (Id. at ¶ 20).
{¶ 12} “It is well-established that in order for an employer to be liable under the doctrine of respondeat superior, the tort of the employee must be committed within the scope of employment. Moreover, where the tort is intentional * * * the behavior giving rise to the tort must be ‘calculated to facilitate or promote the business for which the servant was employed * * *.’ ” Byrd v. Faber, 57 Ohio St.3d 56, 58, 565 N.E.2d 584 (1991), quoting Little Miami R.R. Co. v. Wetmore, 19 Ohio St. 110, 132 (1869). An intentional and willful act committed by an employee “to vent his own spleen or malevolence against the injured person, is a clear departure from his employment” and will not support respondeat-superior liability. Id. at 59, 565 N.E.2d 584. In Byrd, the Ohio Supreme Court found Civ.R. 12(B)(6) dismissal appropriate where the plaintiff attempted to use respondeat superior to hold a religious organization liable for a sexual assault by a pastor against a parishioner.
{¶ 13} We reach the same conclusion here, where the complaint alleges that Duane Sheldon intentionally and improperly gained unauthorized access to the plaintiffs' health records for personal reasons in furtherance of an affair. Even construing the complaint, or the proposed amended complaint, most strongly in the plaintiffs' favor, they can prove no set of facts entitling them to relief against KHN on a respondeat-superior basis for Duane Sheldon's alleged behavior. As a result, KHN was entitled to dismissal under Civ.R. 12(B)(6) insofar as the plaintiffs sought to hold KHN vicariously liable for Duane Sheldon's improper accessing and sharing of their health information, and the trial court did not err in refusing to allow the plaintiffs to amend their complaint to make the respondeat-superior theory more clear.
{¶ 14} We note that a court of appeals in our neighbor state of Indiana has reached an apparent contrary conclusion. In Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind.Ct.App.2014), Audra Withers was a Walgreen's pharmacist who was involved in a relationship with plaintiff Hinchy's former boyfriend. Withers accessed Hinchy's prescription profile to find any information about plaintiff's potential STD. The boyfriend, to whom the accessed private information was apparently disclosed, contacted Hinchy a few days later claiming he had a print out of her drug information. A jury awarded $1.8 million in damages and determined Walgreen's and Withers were 80 percent responsible. Upon review, the court of appeals cited portions of the Restatement (Third) of Agency, § 7.07 (2006), including that “[a]n employee's act is not within the scope of employment when it occurs within an independent course of conduct not intended by the employee to serve any purpose of the employer.” Id. at § 707(2). It also referred to Ingram v. City of Indianapolis, 759 N.E.2d 1144 (Ind.Ct.App.2001), for the proposition that when some of the employee's acts are of the same nature as those authorized by the employer and some not, whether the employee is acting within the scope of employment is a question of fact to be determined by the jury. The court concluded that whether “Withers was acting in the scope of her employment was properly determined by the jury rather than as a matter of law by the trial court.” Hinchy at 108.
{¶ 15} We do not believe Ohio law is so generous. We have previously said “a servant's conduct is within the scope of his employment if it is of the kind which he is employed to perform, occurs substantially within the authorized limits of time and space, and is actuated, at least in part, by a purpose to serve the master.” Cooke v. Montgomery Cty., 158 Ohio App.3d 139, 2004-Ohio-3780, 814 N.E.2d 505, ¶ 20 (2d Dist.). The “purpose to serve the master” ingredient has been used by several other Ohio courts of appeal. The Ohio Supreme Court's formulation of the requirement is that “an employer is not liable for independent self-serving acts of his employees which in no way facilitate or promote his business.” Byrd at 59, 565 N.E.2d 584. This purpose-to-serve-the-master aspect does not appear in Indiana discussions of their analysis of scope of employment. Here, however, the undisputed facts for purposes of KHN's motion are as alleged in the complaint about Duane Sheldon's “unauthorized” and “improper” access of health information by the creation of “fictitious names,” and his “shar[ing] such information with his paramour” “in order to enhance his affair.” We see no part of that activity that has a purpose to serve KHN. Accordingly, under Ohio law, Sheldon was not acting within the scope of employment and, therefore, the plaintiffs can prove no set of facts entitling them to relief on a respondeat-superior claim.
We note that the proposed amended complaint alleges that “KNH is responsible for Defendant D. Sheldon's actions on the ground of respondeat superior, as his access of the health information, although improper, was within the scope of his duties as a high level administrator at KHN.” (Proposed Amended Comp. at ¶ 20). We make two observations in response. First, “[u]nsupported conclusions of a complaint are not considered admitted * * * and are not sufficient to withstand a motion to dismiss.” State ex rel. Hickman v. Capots, 45 Ohio St.3d 324, 544 N.E.2d 639 (1989). Thus, alleging the conclusion that his access to records was within the scope of his duties does not contradict the numerous factual allegations that his access to these records was unauthorized and improper. Second, the fact that Duane Sheldon's position may have entailed access to all the records of the entire hospital does not make his access of his ex-wife's records an authorized intrusion within the scope of employment.
{¶ 16} We turn now to the factual allegations in the complaint regarding KHN's own failure to take reasonable steps, as alleged to be required under HIPAA, to protect the plaintiffs' health information and to detect Duane Sheldon's breaches. As noted above, the plaintiffs' allegations are grounded in the notion that KHN failed to regularly run and monitor the EPIC system CLARITY reports in violation of HIPAA. According to the complaint, “the system protects medical information from being accessed by unapproved personnel to comply with the federal law * * * known as ‘HIPAA.’ ” (Doc. # 1 at ¶ 6). “[T]he cumulative effect of the regular running of these Epic Clarity reports is to detect and deter improper access.” (Id. at ¶ 7). “Epic reports should be run and reviewed on a consistent and recurring basis * * * to meet the HIPAA Risk Analysis and Management Process.” (Id. at ¶ 8).
{¶ 17} Based on the plaintiffs' own specifically-titled headings of the complaint's stated causes of action, they intended to assert common-law causes of action against KHN for invasion of privacy, negligence, negligence per se, negligent training, negligent supervision, intentional infliction of emotional distress, and breach of fiduciary duty. The trial court found these claims subject to Civ.R. 12(B)(6) dismissal because they all essentially alleged violations of HIPAA, or were “HIPAA based,” and the statute does not provide a private right of action. (Doc. # 32 at 4–5).
{¶ 18} As a preliminary matter, it is beyond dispute that HIPAA itself does not create an express or implied private right of action for violations of its provisions. See, e.g., Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006). The cases supporting this holding are legion, and the plaintiffs agree HIPAA provides no private action. Despite the fact that plaintiffs argue that they have asserted common-law claims and not a statutory HIPAA claim, unquestionably the complaint is grounded in the notion that KHN's actions were wrongful because they failed to take steps, consistent with HIPAA, that would have prevented or reduced the risk of disclosure. Nevertheless, at this stage of the litigation we are required to interpret the complaint broadly to determine whether the allegations assert common-law tort claims independent from HIPAA. Thus, the absence of a private right of action under HIPAA does not necessarily resolve the issues before us. For that reason, we find some of the case law cited by KHN to be of little assistance. The Ohio case law upon which KHN relies does not decide whether a plaintiff can bring a common-law tort claim that might also involve a HIPAA violation for which no private statutory right of action exists. KHN cites OhioHealth Corp. v. Ryan, 10th Dist. Franklin No. 10AP–937, 2012-Ohio-60, 2012 WL 68733, which states: “HIPAA does not allow a private cause of action, according to Ohio law.” Id. at ¶ 18, citing Henry v. Ohio Victims of Crime Compensation Program, S.D.Ohio No. 2:07–cv–0052, 2007 WL 682427 (Feb. 28, 2007) ; see also Shepherd v. Sheldon, N.D.Ohio No. 1:11 CV 127, 2011 WL 2971965 (July 21, 2011) ; Siegler v. Ohio State Univ., S.D.Ohio No. 2:11–cv–170, 2011 WL 1990570 (May 23, 2011) ; and Wood v. Byer, N.D.Ohio No. 5:06CV137, 2006 WL 3304053 (Aug. 9, 2006).
{¶ 19} The Ohio federal cases cited in OhioHealth Corp. v. Ryan stand for the undisputed proposition that Congress did not create a private, statutory right of action to enforce HIPAA's terms. KHN also cites Boddie v. Van Steyn, 10th Dist. Franklin No. 13AP–623, 2014-Ohio-1069, 2014 WL 1347222. The only cause of action at issue there was a recognized tort claim for breach of physician-patient confidentiality. The Tenth District held that the claim failed for reasons having nothing to do with HIPAA, which was mentioned in passing in the final paragraph.
In Henry, the court noted that the plaintiff's claims actually appeared to be brought under HIPAA, which lacks a private right of action. In Shepherd, the plaintiffs admitted that they did not allege a claim under HIPAA or any tort claims at all. Although HIPAA had nothing to do with the case, the court recognized in a footnote that it does not create a private right of action. In Siegler, the court held that no claim could be brought “under HIPAA” because it lacked a private right of action and that any common law claim would be barred by the Eleventh Amendment, which is not at issue in the present case. Finally, in Wood, the plaintiff actually attempted to bring a claim under HIPAA itself. The court rejected the attempt because “HIPAA does not provide a private cause of action [.]” Although we do not disagree with any of the foregoing findings, none of them address the issue before us.
{¶ 20} Contrary to the language in OhioHealth Corp. v. Ryan upon which KHN relies, we find it imprecise to say that HIPAA “does not allow a private cause of action.” What we should determine is whether HIPAA prohibits common-law tort claims based on the wrongful release of confidential medical information unrelated to and independent from HIPAA itself. Indeed, the State of Ohio has recognized an independent tort for the “unauthorized, unprivileged disclosure to a third party of nonpublic medical information[.]” Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395, 401, 715 N.E.2d 518 (1999), paragraph one of the syllabus. Biddle, however, was decided before HIPAA's privacy-rule regulations were published on December 28, 2000 and before its security-rule regulations took effect on April 21, 2003. Therefore, we must first determine whether Biddle's common-law right of action recognized in 1999 survives HIPAA.
{¶ 21} Arguing that HIPAA “does not allow” such a common-law tort claim is another way of saying that it preempts one. “It is well settled that the Supremacy Clause of the federal Constitution grants Congress the power to preempt state law.” Leppla v. Sprintcom, Inc., 156 Ohio App.3d 498, 2004-Ohio-1309, 806 N.E.2d 1019, ¶ 11 (2d Dist.), citing Minton v. Honda of Am. Mfg., Inc., 80 Ohio St.3d 62, 68, 684 N.E.2d 648 (1997), abrogated on other grounds by Geier v. Am. Honda Motor Co., Inc., 529 U.S. 861, 120 S.Ct. 1913, 146 L.Ed.2d 914 (2000). The Ohio Supreme Court has “recognized three ways state law can be preempted by the Supremacy Clause: (1) where federal law expressly preempts state law (express preemption); (2) where federal law has occupied the entire field (field preemption); or (3) where there is a conflict between federal law and state law (conflict preemption).” Id. at ¶ 12, citing Minton at 69, 684 N.E.2d 648.
{¶ 22} “In the case of field preemption, ‘state law is pre-empted where it regulates conduct in a field that Congress intended the Federal Government to occupy exclusively.’ ” Id. “In the case of conflict preemption, state law is preempted ‘where it is impossible for a private party to comply with both state and federal requirements,’ or ‘where state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.’ ” (Citations omitted). Id.
{¶ 23} HIPAA is a combination of the statute and the regulations adopted under its authority. The HIPAA statute states that it “shall supersede any contrary provision of State law.” 42 U.S.C. § 1320d–7(a)(1) ; see also 45 C.F.R. § 160.203. But the statute specifically directs that any regulations shall not supersede state law that is “more stringent” than the requirements under HIPAA. Section 264(c)(2) of Public Law 104–191. The regulations provide that state law is “contrary” to HIPAA when (1) it is “impossible to comply with both the State and Federal requirements;” or (2) “state law stands as an obstacle to the accomplishment and execution” of the act. 45 C.F.R. § 160.202. The “more stringent” exception is adopted in 45 C.F.R. § 160.203(b). The regulations also explain that a state law is “more stringent” than HIPAA if the state law provides greater privacy protection, provides the patient greater rights of access or access to more information than HIPAA, or narrows the scope or duration of the use or disclosure of information HIPAA would allow. 45 C.F.R. § 160.202. Significantly, “State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.” (Emphasis added). Id.
{¶ 24} Upon review, we conclude that HIPAA does not preempt the Ohio independent tort recognized by the Ohio Supreme Court in Biddle “for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.” Biddle, at paragraph one of the syllabus. However, we further conclude that federal regulations—as opposed to an Ohio statute that sets forth a positive and definite standard of care—cannot be used as a basis for negligence per se under Ohio law. Additionally, in our view utilization of HIPAA as an ordinary negligence “standard of care” is tantamount to authorizing a prohibited private right of action for violation of HIPAA itself, and moreover, in specific regard to plaintiffs' allegation that monitoring access to medical records was too infrequent, HIPAA does not provide a standard of care as to the frequency of review of information-system activity.
{¶ 25} We determine that a Biddle claim is not preempted because we fail to see how such a claim conflicts with HIPAA unless the alleged claim asserts recovery for release of information that HIPAA specifically allows. And although Congress has provided for enforcement of HIPAA by the Secretary of Health and Human Services, 42 U.S.C.A. §§ 1320d–5, 1320d–6, and more recently, by State Attorneys General, see 42 U.S.C.A. § 1320d–5(d), the allowance of recovery of an individual's damages does not interfere with government enforcement. Therefore, we do not find it is impossible to comply with HIPAA and with state law to the extent we have indicated, and state law is not an obstacle to the accomplishment of HIPAA's purposes. We believe a Biddle claim enhances the protection of confidentiality of medical information.
{¶ 26} Despite our agreement that a cause of action still exists for “unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship,” Biddle, at paragraph one of the syllabus, plaintiffs have not alleged a set of facts that would entitle them to relief under Biddle. Initially we note that none of the titles for the causes of action in the complaint refer to a Biddle -type independent cause of action. The only references to Biddle in the plaintiffs' various filings and briefs, both here and in the trial court, are references to the Biddle case in arguments associated only with the alleged breach-of-fiduciary-duty claim. In fact, the plaintiffs appear to equate their fiduciary-duty claim with a Biddle claim, arguing: “KHN breached its fiduciary duty of confidentiality as set forth in Biddle by disclosing information to unauthorized employees.” (Appellants' brief at 10.) But the plaintiffs' allegations fall short of raising such a claim. As applied to KHN, we conclude, and the hospital does not appear to dispute, that Sheldon's alleged actions were “unauthorized.” He may have had authority to access any hospital medical record for a legitimate administrative purpose, but not for personal spying on his former spouse or his sharing of that information with a co-worker. It likewise appears the allegations in the complaint are sufficient to conclude that his access and subsequent disclosure were “unprivileged.” The crux of the issue is whether Sheldon's alleged acts amount to “disclosure” by KHN or “disclosure” for which the hospital may be held legally responsible. We note that the allegations fail to allege that KHN actively or intentionally disclosed anything.
{¶ 27} Biddle itself dealt with deliberate intentional disclosure of patient information by a hospital to a law firm to screen patients for SSI eligibility to see if that source could pay patients' outstanding hospital bills. The attorneys were to be paid a contingency for patients where an SSI claim paid the hospital. For “two and one-half years, the hospital released all of its patient registration forms to the law firm without obtaining any prior consent or authorization from its patients to do so, and without prescreening or sorting them in any way.” Biddle at 395, 715 N.E.2d 518. Under any set of circumstances, pre- or post-HIPAA, with or without reference to HIPAA regulations, the intentional, unauthorized disclosures in Biddle should be actionable. Accordingly, we conclude that the independent tort recognized in Biddle is still viable after HIPAA although the parameters of such a claim may have been impacted by HIPAA preemption.
{¶ 28} We note that recognition of a Biddle claim post-HIPAA presents a seemingly unsolvable conundrum. In many cases, as here, whether a release of information is “unauthorized” will not be in question. However, if the validity of authorization is disputed, the parties very well might refer to the specific authorization provisions of the HIPAA privacy rules for guidance. If authorization under Ohio medical privacy law or rules is more relaxed than HIPAA, then Ohio's less-stringent authorization provisions are not effective because they are preempted by HIPAA. But one could argue that using HIPAA-specific authorization regulations to determine whether release is “unauthorized” allows for the enforcement of HIPAA regulations, which is arguably contrary to the overwhelming conclusion that HIPAA does not provide a private right of action. Because authorization of the release is not in question here, we need not resolve this problem.
{¶ 29} Although case law delineating the parameters of a Biddle claim is still developing, the consolidation of other theories of recovery into that recognized tort is certain. In Biddle, as here, the plaintiffs alleged claims for invasion of privacy, intentional infliction of emotional distress, and negligence. The Biddle court reasoned: “[A]s to appellees' continued insistence that they be entitled to pursue other theories of liability, we agree with the reasoning of the appellate court that these other theories are either unavailable, inapplicable because of their respective doctrinal limitations, or subsumed by the tort of breach of confidence [i.e., a Biddle claim]. Indeed, it is the very awkwardness of the traditional causes of action that justifies the recognition of the tort for breach of confidence in the first place.” Biddle at 408–409, 715 N.E.2d 518 ; see also Norris v. Smart Document Solutions, LLC, 483 Fed.Appx. 247, 248–49 (6th Cir.2012) (recognizing that a Biddle claim is “its own independent tort [which] forecloses an argument that [plaintiff's] action should be understood as one for the long-recognized tort of wrongful taking of personal property” known as conversion). Although breach of fiduciary duty is not mentioned as subsumed in Biddle, or as foreclosed as in Norris, we determine that the plaintiffs' alleged seventh count for breach of fiduciary duty is subsumed along with the other theories, particularly when appellant contends that “KHN breached its fiduciary duty of confidentiality as set forth in Biddle by disclosing information to unauthorized employees.” (Appellants' Brief at 10).
{¶ 30} In any event, we decline to recognize the plaintiffs' alleged “Third Count: Negligence Per Se,” which undoubtedly is “HIPAA based,” for three separate reasons. First, to the extent that HIPAA universally has been held not to authorize a private right of action, to permit HIPAA regulations to define per se the duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded. Second, in Chambers v. St. Mary's School, 82 Ohio St.3d 563, 697 N.E.2d 198 (1998), the Ohio Supreme Court held that “[t]he violation of an administrative rule does not constitute negligence per se; however such a violation may be admissible as evidence of negligence.” Id. at syllabus. Therefore, under Ohio case law the HIPAA administrative rules that appellants argue are applicable cannot be the basis of a negligence per se theory of recovery. Third, critical allegations in the complaint state that “Epic reports should be run and reviewed on a consistent and recurring basis, no less than monthly, and preferably weekly, in order to adequately monitor, ensure and protect the privacy of health information to meet the HIPAA Risk Analysis and Management Process.” (Complaint at ¶ 8) These allegations suggest that had KHN audited its records more frequently it would have discovered Duane Sheldon's intrusion sooner (although, significantly, after he already had accessed the plaintiffs' records at least once). This allegation implies that HIPAA presents some “standard” for when and how information security audits should be performed. We have not found any such regulation. We note that 45 C.F.R. § 164.312(b) provides for a hospital to “[i]mplement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Another regulation, 45 C.F.R. § 164.530(i)(1), provides that “policies and procedures must be reasonably designed, taking into account the size of and the type of activities related to protected health information undertaken by the covered entity, to ensure such compliance.” These regulations are flexibly designed to accommodate the vast array of medical providers. The regulations do require auditing of record access, but they do not provide a “standard” for how frequently to do so. In this regard, the regulations do not set forth “a positive and definite standard of care * * * whereby a jury may determine whether there has been a violation thereof by finding a single issue of fact.” Eisenhuth v. Moneyhon, 161 Ohio St. 367, 374, 119 N.E.2d 440 (1954). Accordingly, the regulations at issue are insufficient to support negligence per se liability.
The negligence per se count of the complaint says only that KHN “violated standards for protecting electronic health information” without reference to HIPAA or any specific statute or regulation to support negligence per se. In their brief, the plaintiffs' argument makes clear that this claim is referring to “HIPAA requirements.” (Appellant's Brief at 13).
{¶ 31} The remaining question about the trial court's dismissal of the plaintiffs' “HIPAA-based” claims is whether, based on the alleged facts and reasonable inferences, it is beyond doubt that the plaintiffs are not entitled to relief on the claim for breach of confidentiality of medical information. In Scott v. Ohio Dep't of
Rehab. & Corr., 2013-Ohio-4383, 999 N.E.2d 231 (10th Dist.), inmates at Madison Correctional institution, six of whom were HIV positive and the remainder of whom were “chronic care” patients, alleged that their confidential medical records were released to the general prison population. The pharmacy at the prison periodically produced HIV and chronic-care lists of inmates. Old lists were discarded in pharmacy trash, which was bagged and placed outside the pharmacy door. An inmate worker would then collect the trash for deposit in a dumpster in another controlled-access area. Records came into possession of inmates and eventually became accessible to the general prison population. The court of claims determined that the circumstances under which the medical information was disclosed did not meet the elements of Biddle, supra.
{¶ 32} The Tenth District Court of Appeals analyzed the Biddle issue as whether disclosure must be intentional or willful. Upon review, it stated:
Biddle itself is certainly premised on facts that involved a deliberate and intentional disclosure, but in creating this new tort under Ohio law, the Supreme Court relied on some authorities involving negligence fact patterns. [Citation and summary omitted]. We are therefore unwilling to accept ODRC's proposal that “unauthorized” disclosure under Biddle equates to “intentional” disclosure. Ultimately, however, considering the matter as one of first impression, we find that under the circumstances outlined in the facts given above, supervised inmate access to trash containing unshredded medical documents does not constitute “disclosure” for purposes of the tort of unauthorized disclosure of medical information as defined by Biddle . * * *
Without precluding that an inadvertent disclosure might, under different facts, fulfill the elements of Biddle, the present case does not.
Scott at ¶¶ 29–30.
{¶ 33} Here, at best, the plaintiffs' claim against KHN is predicated upon KHN's alleged failure to earlier detect Sheldon's intentional, unauthorized access through procedures required by HIPAA. Consistent with Scott, we determine that the facts alleged do not constitute “disclosure” for purposes of a Biddle breach-of-confidentiality claim. Therefore, we affirm the trial court's dismissal of the claims albeit as a result of a somewhat different analysis.
{¶ 34} Despite preemption and the lack of a private right of action, we are aware of three states that have expressed approval of the use of HIPAA regulations as a standard of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433, 102 A.3d 32 (2014), R.K. v. St. Mary's Med. Ctr., Inc., 229 W.Va. 712, 735 S.E.2d 715 (W.Va.2012), and Acosta v. Byrum, 180 N.C.App. 562, 568, 638 S.E.2d 246 (N.C.Ct.App.2006). However, each is dependent on the nuances of applicable state law, the claims pursued, and the unique facts presented. In Byrne, the court analyzed state law claims of negligence and negligent infliction of emotional distress resulting from production of records in response to a subpoena without notifying the patient which, for non-judicial subpoenas, is required by HIPAA. The court stated “HIPAA may inform the applicable standard of care in certain circumstances.” Id. at 435, 102 A.3d 32. We perceive the issue in Byrne to be more of whether the release was “authorized” not whether the defendant was responsible for its disclosure. In R.K., plaintiff's various state negligent, intentional conduct, and breach of confidentiality claims were asserted without specific HIPAA labeling against a hospital whose employees accessed plaintiff's psychiatric records and disclosed information to his estranged wife. Although reference was made with approval to other cases which addressed use of HIPAA as a standard of care, the holding was “we now hold that common-law tort claims based upon the wrongful disclosure of medical or personal health information are not preempted by [HIPAA].” Id. at 724, 735 S.E.2d 715. In Acosta a physician gave a subordinate his medical access code, which would be contrary to HIPAA. The subordinate retrieved the plaintiff's psychiatric records. The plaintiff brought claims for invasion of privacy and for intentional and negligent infliction of emotional distress alleging the sharing of the access code violated regulations of “University Health Systems, Roanoke Chowan Hospital, and [HIPAA].” The Acosta court determined plaintiff sufficiently pled causes of action separately from the HIPAA violation, although it also concluded that plaintiff did not bring a HIPAA claim but that HIPAA was only applicable as “evidence of a the duty of care owed by Dr. Faber.” To the extent that these cases from other jurisdictions are not binding or that they are distinguishable we choose not to follow them.
{¶ 35} The first assignment of error is overruled.
{¶ 36} In an alternative argument, KHN maintains that several of the plaintiffs' claims were subject to dismissal because they were not adequately pled. This argument pertains to the claims against KHN for invasion of privacy, negligent training, negligent supervision, and intentional infliction of emotional distress. Although KHN raised this argument below, the trial court had no occasion to address it upon finding the claims subject to dismissal on HIPAA-based grounds. Although we have determined that plaintiffs have failed to state a breach of privacy claim, and that the other claims are consolidated therein, including perhaps all these claims subject to alternative arguments, we recognize the import of our holding and therefore address whether the referenced causes of action, if separate, were adequately pled to survive Civ.R. 12(B)(6) dismissal.
Ordinarily, we might be inclined to allow the trial court to address an unresolved issue in the first instance if we were to remand. We need not do so, however, with regard to KHN's argument about the adequacy of the plaintiffs' pleading. That issue, which was raised by KHN but not addressed by the trial court below, involves a question of law that we review de novo. Jones v. Xenia, 2d Dist. Greene No. 2011 CA 27, 2011-Ohio-5545, 2011 WL 5137208, ¶ 9. That being so, we see no purpose in remanding for the trial court to opine on the issue.
{¶ 37} With regard to the claims against KHN for invasion of privacy, negligent training, negligent supervision, and intentional infliction of emotional distress, KHN argues:
The common elements among each of these causes of action require that KHN must have acted intentionally or failed to act with knowledge of the underlying tortfeasors' actions. Plaintiffs–Appellants' Complaint is void of any allegation that KHN acted intentionally to cause Plaintiffs–Appellants harm or that KHN knew that certain employees were accessing medical information without authorization and failed to act. As stated above, Plaintiffs–Appellants' tort allegations against KHN are based upon KHN's alleged failure to run certain “CLARITY” reports with sufficient frequency. Even assuming that KHN was required to run these reports with the frequency alleged by Plaintiffs–Appellants and that KHN failed to do so, that
does not demonstrate that KHN acted intentionally nor does it demonstrate that KHN knew its employees were accessing medical information without authorization.
(Appellee's brief at 17).
{¶ 38} Upon review, we agree with KHN that two of the causes of action at issue, namely invasion of privacy and intentional infliction of emotional distress, fail to state a claim upon which relief can be granted because they do not allege KHN acted intentionally. The plaintiffs' brief makes clear that they are alleging “wrongful intrusion” invasion of privacy. This theory requires proof of an intentional intrusion upon the solitude or seclusion of another or his private affairs or concerns. King v. Cashland, Inc., 2d Dist. Montgomery No. 18208, 2000 WL 1232768, *3 (Sept. 1, 2000) ; Havens–Tobias v. Eagle, 2d Dist. Montgomery No. 19562, 2003-Ohio-1561, 2003 WL 1601461, ¶ 26. The plaintiffs' complaint alleges no such intentional intrusion on the part of KHN. Rather, it alleges that KHN negligently failed to protect the privacy of the plaintiffs' electronic medical information by not taking reasonable steps to protect the information by running and monitoring CLARITY reports. Although the complaint does allege intentional intrusions by defendant Duane Sheldon, we determined above that the nature of his conduct precludes respondeat-superior liability.
The Ohio Supreme Court has recognized four types of invasion-of-privacy claims: (1) unwarranted appropriation or exploitation of one's personality, (2) publicizing of one's private affairs, (3) wrongful intrusion into one's private activities, and (4) false-light invasion of privacy. Welling v. Weinfeld, 113 Ohio St.3d 464, 2007-Ohio-2451, 866 N.E.2d 1051.
We recognize that in Prince v. St. Francis–St. George Hosp., Inc., 20 Ohio App.3d 4, 484 N.E.2d 265 (1st Dist.1985), the First District opined that invasion of privacy may be supported by negligent as well as intentional acts where a physician improperly mailed a medical-claim form containing a confidential diagnosis for Mrs. Prince to a co-worker of her husband. Invasion of privacy could exist “whether [the physician's] potential ultimate liability is predicated on his intentional acts (preparing and mailing the telltale material), or upon the negligence of those acts.” Id. at 7, 484 N.E.2d 265.
--------
{¶ 39} We reach the same conclusion with regard to intentional infliction of emotional distress, which requires a showing that the actor intended to cause emotional distress or knew, or should have known, that his actions would result in severe emotional distress. Ratcliff v. Seitz, 2d Dist. Miami No. 2014–CA–9, 2014-Ohio-4412, 2014 WL 4953569, ¶ 47 (citing cases). Here we fail to see how the plaintiffs can prove a set of facts establishing KHN's intentional infliction of emotional distress based on KHN's allegedly negligent failure to run and monitor CLARITY reports. Once again, although Duane Sheldon allegedly acted intentionally, the facts in the complaint do not support respondeat-superior liability.
{¶ 40} The trial court also did not err in refusing to allow the plaintiffs to amend their complaint concerning their claims for invasion of privacy and intentional infliction of emotional distress. If these claims are subsumed into the breach of confidentiality claim, as we have held, then amendment would not change their consolidation and would not change viability. Moreover, having reviewed the plaintiffs' proposed amended complaint, we note that it did not remedy the lack of allegedly intentional misconduct on the part of KHN. Therefore, the proposed amendment would have been futile with respect to the claims for invasion of privacy and intentional infliction of emotional distress. See Cruz v. Kettering Health Network, 2d Dist. Montgomery No. 24465, 2012-Ohio-24, 2012 WL 29351, ¶ 34 (recognizing that leave to amend a complaint may be denied when the proposed amendment would be futile).
{¶ 41} We reach a similar result concerning the plaintiffs' claims for negligent training and negligent supervision. The elements of a negligent supervision claim essentially are the same as those required to prove negligent hiring. Browning v. Ohio State Hwy. Patrol, 151 Ohio App.3d 798, 2003-Ohio-1108, 786 N.E.2d 94, ¶ 67 (10th Dist.). Likewise, other courts have recognized that the elements of negligent training are also the same. Ford v. Brooks, 10th Dist. Franklin No. 11AP–664, 2012-Ohio-943, 2012 WL 760741, ¶ 22, citing Jarvis v. Securitas Sec. Servs. USA, Inc., D.Md. No. 11–cv–00654–AW, 2012 WL 527597 (Feb. 16, 2012). They are: “(1) the existence of an employment relationship; (2) the employee's incompetence; (3) the employer's actual or constructive knowledge of such incompetence; (4) the employee's act or omission causing the plaintiff's injuries; and (5) the employer's negligence in hiring or retaining [or training or supervising] the employee as the proximate cause of plaintiff's injuries.” Evans v. Ohio State Univ., 112 Ohio App.3d 724, 739, 680 N.E.2d 161 (10th Dist.1996).
{¶ 42} KHN correctly notes that these claims require proof that it had actual or constructive knowledge of Duane Sheldon's incompetent behavior. The relevant behavior here involved his allegedly unauthorized and improper accessing and sharing of the plaintiffs' electronic health information. Nothing in the complaint suggests that KHN had actual knowledge of this behavior. The complaint alleges the manner in which KHN could be deemed to have constructive knowledge of Sheldon's access and that is to monitor the EPIC system CLARITY reports to comply with HIPAA security rules. We agree with the trial court that the manner alleged in the complaint for KHN to have discovered Sheldon's unauthorized access is definitively HIPAA-based. Because we believe allowing such a claim to proceed effectively would allow a private action for damages predicated on HIPAA requirements, recovery based on that part of the complaint is prohibited. We have not found, and the plaintiffs have not cited, an Ohio case supporting a cause of action based on negligent failure to follow HIPAA regulations. We conclude that the trial court correctly dismissed these claims.
{¶ 43} We again acknowledge that the plaintiffs moved to amend their complaint, but the proposed amendments would not have cured the fatal deficiencies. The proposed amended complaint retained virtually every allegation found in the original, including the allegations that KHN was negligent in failing adequately to monitor the CLARITY reports from the EPIC system as required by HIPAA. The only proposed changes of substance that could relate to the negligent training or supervision claims are the addition of the following allegations:
9. Although it is not mandated that the EPIC system be used by any controlling authority, it is clear that the standard of care established by HIPAA is that a health entity must take reasonable and prudent steps to safeguard patient information.
10. Complete and apart from any standard of care, KHN has a common law duty to safeguard patient confidential health information.
* * *
12. Defendant KHN, complete and apart from its duty of care established by HIPAA, failed to take reasonable care to safeguard patient health information.
* * *
49. In asserting the above common law claims, Plaintiffs disclaim any attempt at enforcing “HIPAA”. They do not seek civil or criminal penalties against KHN for “HIPAA violations”; rather they seek common law remedies to themselves for damages, as contained in the prayer for relief.
{¶ 44} Paragraphs 9 and 10 allege only the existence of a common-law duty to protect patient health information. That is not in dispute. Paragraph 12 merely alleges, in conclusory fashion, that KHN was negligent. But the only factual allegations to support that bare conclusion are all the factual allegations about Duane Sheldon's intrusion and the HIPAA-induced monitoring KHN allegedly should have done to detect his access. Those factual assertions remain intact in the proposed amended complaint. Finally, paragraph 49 is no more than an attempt by the plaintiffs to distance themselves from what they now recognize is a prohibited HIPAA claim when the bulk of their factual assertions—most importantly with regard to the HIPAA obligations related to monitoring the EPIC CLARITY reports to discover Sheldon's intrusion—remain unchanged. We reiterate that the proposed amended complaint would not cure the infirmities we have addressed.
{¶ 45} Based on the reasoning set forth above the assignments of error are overruled and the trial court's judgment is affirmed.
DONOVAN, J., and WELBAUM, J., concur.