
    [5 NE3d 578, 982 NYS2d 431]
    John Doe, Appellant, v Guthrie Clinic, Ltd., et al., Respondents.
    Argued November 12, 2013;
    decided January 9, 2014
    
      POINTS OF COUNSEL
    
      Brown & Hutchinson, Rochester (T. Andrew Brown of counsel), for appellant.
    I. Two bases of redress for the breach of the fiduciary duty of patient confidentiality exist extending to medical corporations in New York: strict liability and vicarious liability. (Doe v Community Health Plan—Kaiser Corp., 268 AD2d 183; West v American Telephone & Telegraph Co., 311 US 223; Erie R. Co. v Tompkins, 304 US 64; Russel v Todd, 309 US 280.) II. Strict liability applies to medical corporations for breaches of confidential personal health information. (Doe v Community Health Plan—Kaiser Corp., 268 AD2d 183; West v American Telephone & Telegraph Co., 311 US 223; N.X. v Cabrini Med. Ctr., 97 NY2d 247; MacDonald v Clinger, 84 AD2d 482; Cornell v State of New York, 46 NY2d 1032; Stewart v Brooklyn & Crosstown R.R. Co., 90 NY 588; de Wolf v Ford, 193 NY 397; Stone v Eisen Co., 219 NY 205; Petrone v Fernandez, 12 NY3d 546; Aaron v Ward, 203 NY 351.) III. Vicarious liability for medical corporations applies to breaches of confidential personal health information, even if strict liability does not. (Riviello v Waldron, 47 NY2d 297; Petrescu v College Racquet Club, Inc., 40 AD3d 947; Powers v New York Cent. R.R. Co., 251 F2d 813; Essig v United States, 675 F Supp 84; Murray v Watervliet City School Dist., 130 AD2d 830.)
    
      Morgan, Lewis & Bockius LLP, New York City (Martha B. Stolley and Heather L. Hopkins of counsel), for respondents.
    I. This Court should reject John Doe’s invitation to break from well-settled precedent and impose strict liability on an employer for its employee’s breach of fiduciary duty when acting outside the scope of employment. (Indiana Harbor Belt R. Co. v American Cyanamid Co., 916 F2d 1174; Tighe v Ginsberg, 146 AD2d 268; Cornell v State of New York, 46 NY2d 1032; Pekelnaya v Allyn, 25 AD3d 111; Riley v Standard Oil Co. of NY, 231 NY 301; Adams v New York City Tr. Auth., 88 NY2d 116; N.X. v Cabrini Med. Ctr., 97 NY2d 247; Stewart v Brooklyn & Crosstown R.R. Co., 90 NY 588; de Wolf v Ford, 193 NY 397; Bellevue S. Assoc. v HRH Constr. Corp., 78 NY2d 282.) II. The issue of vicarious liability raised by John Doe is not encompassed within the question certified by the Second Circuit and not properly before this Court. (Rooney v Tyson, 91 NY2d 685; Commodity Futures Trading Commn. v Walsh, 17 NY3d 162; Penguin Group [USA] Inc. v American Buddha, 16 NY3d 295; Suarez v Bakalchuk, 66 AD3d 419; Nicollette T. v Hospital for Joint Diseases /Orthopaedic Inst., 198 AD2d 54; N.X. v Cabrini Med. Ctr., 97 NY2d 247.)
   OPINION OF THE COURT

Pigott, J.

The United States Court of Appeals for the Second Circuit has certified the following question for our consideration: “Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?” We answer the question in the negative.

On July 1, 2010, “John Doe” was being treated for a sexually transmitted disease (STD) at the Guthrie Clinic Steuben, a private medical facility. A nurse employed by the Clinic recognized Doe as the boyfriend of her sister-in-law. The nurse accessed Doe’s medical records and learned that he was being treated for the STD. While Doe was still awaiting treatment, she sent text messages to her sister-in-law informing her of Doe’s condition. The sister-in-law immediately forwarded the messages to Doe; according to Doe, the messages suggested that staff members were making fun of his medical condition.

Five days after his visit to the Clinic, Doe called to complain of the nurse’s behavior. He met with an administrator of the Clinic, and the nurse was fired. Thereafter, the President and CEO of Guthrie Clinic, Ltd. sent a letter to Doe confirming that there had been an unauthorized disclosure of Doe’s confidential health information, that appropriate disciplinary actions had been carried out, and that steps had been taken to prevent such a breach from occurring in the future.

Doe subsequently filed this action in federal court against defendants, various affiliated entities that allegedly “owned, possessed, operated, staffed and/or otherwise controlled” the clinic. In his complaint, Doe asserted eight causes of action: (1) common-law breach of fiduciary duty to maintain the confidentiality of personal health information, (2) breach of contract, (3) negligent hiring, training, retention and/or supervision of employees, (4) negligent infliction of emotional distress, (5) intentional infliction of emotional distress, (6) breach of duty to maintain the confidentiality of personal health information under CPLR 4504, (7) breach of duty to maintain the confidentiality of personal health information under Public Health Law § 4410, and (8) breach of duty to maintain the confidentiality of personal health information under Public Health Law § 2803-c.

The United States District Court for the Western District of New York granted the defendants’ motion to dismiss all eight claims (2012 WL 531026, 2012 US Dist LEXIS 20507 [US Dist Ct, WD NY Feb. 17, 2012]).

Doe appealed the dismissal of the first five of the eight causes of action. The United States Court of Appeals for the Second Circuit affirmed the dismissal of four of the remaining five causes of action, reserving decision on his claim of breach of fiduciary duty, which is the only subject of this certified question (519 Fed Appx 719 [2d Cir 2013]).

In a separate opinion (710 F3d 492 [2d Cir 2013]), the Second Circuit found that the nurse’s actions were not foreseeable to defendants, nor were her actions taken within the scope of her employment (id. at 495). The court explained that in his complaint Doe himself alleged that the nurse was motivated by purely personal reasons and “[t]hose reasons had ‘nothing to do with [Doe’s] treatment and care’ ” (id. at 495-496, citing Doe complaint at ¶ 25). “As such,” the court held, the nurse’s “actions cannot be imputed to the defendants on the basis of respondeat superior” (id. at 496). The court certified the question to this Court, however, whether Doe may assert a specific and legally distinct cause of action against defendant for breach of the fiduciary duty of confidentiality, even when respondeat superior liability is absent (id. at 498).

Generally, a hospital or medical corporation may be held vicariously liable for the wrongful acts of its employees (see e.g. Hill v St. Clare’s Hosp., 67 NY2d 72, 79 [1986]). However, “[u]nder the doctrine of respondeat superior, an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in furtherance of the employer’s business and within the scope of employment” (N.X. v Cabrini Med. Ctr., 97 NY2d 247, 251 [2002]). Thus, a medical corporation is generally not liable for a tort of an employee when such an action is not within the scope of employment.

We have, in other circumstances, declined to hold a medical corporation to a “heightened duty” for an employee’s misconduct. For instance, in N.X. v Cabrini Med. Ctr., where a physician employed by the defendant hospital committed a sexual assault on a sedated patient, this Court rejected the attempt to hold the hospital strictly liable. We declined to recognize a heightened duty on the part of the hospital, explaining:

“A hospital has a duty to safeguard the welfare of its patients, even from harm inflicted by third persons, measured by the capacity of the patient to provide for his or her own safety .... This sliding scale of duty is limited, however; it does not render a hospital an insurer of patient safety or require it to keep each patient under constant surveillance .... As with any liability in tort, the scope of a hospital’s duty is circumscribed by those risks which are reasonably foreseeable” (id. at 252-253).

Since the sexual assault committed by the hospital employee was “not in furtherance of hospital business” and was “a clear departure from the scope of employment, having been committed for wholly personal motives” (id. at 251), we concluded that the hospital could not be held vicariously liable.

Here, Doe urges us to impose absolute liability on the medical corporation for an employee’s dissemination of a patient’s confidential medical information. We decline to do so, and, to the extent that this rationale may have been employed in Doe v Community Health Plan—Kaiser Corp. (268 AD2d 183 [3d Dept 2000]), we reject that decision. For the same reasons stated in Cabrini, a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.

The dissent, in accepting Doe’s argument would impose strict liability on medical corporations for any disclosure by an employee, an approach that is unnecessary and against precedent. In cases where an injured plaintiffs cause of action fails because the employee is acting outside the scope of employment, a direct cause of action against the medical corporation for its own conduct, be it negligent hiring, supervision or other negligence, may still be maintained (see Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 934 [1999]). A medical corporation may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures. These potential claims provide the requisite incentive for medical providers to put in place appropriate safeguards to ensure protection of a patient’s confidential information. Those causes of action in the present case have already been resolved by the federal courts and we therefore do not address them.

Accordingly, the certified question should be answered in the negative.

Rivera, J.

(dissenting). Patients, who have little say in the matter, disclose their personal information to medical corporations trusting that it will be kept private. In answering the certified question in the negative, the majority limits a patient’s remedy even in cases where a corporation has failed in its duty to protect confidential information. I believe that a medical corporation’s duty extends beyond an employee’s conduct within the scope of employment, and I would answer the certified question in the affirmative.

The majority’s narrow conception of a medical corporation’s duty undermines New York’s public policy to protect the confidentiality of patients’ medical records (see Public Health Law § 2803-c [1], [3] [f]). The ease with which confidential patient information can now spread through personal digital devices and across social networks demands a strong legal regime to protect a patient’s confidentiality. A cause of action directly against a medical corporation, unhampered by questions as to whether an employee’s conduct occurred within the scope of employment, ensures the fullest protections for patients and best addresses the current realities of medical service delivery.

Comprehensive medical records are crucial to ensuring proper medical care. Medical providers, including corporate medical providers, require private medical data from patients to ensure proper treatment. A patient reveals personal data for purposes of receiving medical services, with the understanding that the patient retains a right to confidentiality in such information. Technological advances have made it possible to collect and house patient data in ways easily accessible to a patient’s doctor and other health care provider staff. Computers and cellular devices have transformed medical record keeping and health care service provision, making access to such data fast and easy. While such access surely benefits both the patient and the provider, it also increases the potential for instantaneous and extensive unauthorized disclosure of confidential patient information by a range of staff personnel. Societal interest in maintaining patient privacy in medical records is served through a robust tort system, responsive to the realities of the ease of disclosure.

In some circumstances, we have limited a medical corporation’s liability for the negligence of its employees under a theory of respondeat superior (see e.g. N.X. v Cabrini Med. Ctr., 97 NY2d 247, 251-252 [2002]; Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 933-934 [1999]; Hill v St. Clare’s Hosp., 67 NY2d 72, 79 [1986]; Suarez v Bakalchuk, 66 AD3d 419, 419 [1st Dept 2009]; Doe v Westfall Health Care Ctr., 303 AD2d 102, 110 [4th Dept 2002]; see also majority op at 484). Respondeat superior is a theory of vicarious liability that originally developed under the assumption that a master could control the conduct of an agent (see Mott v Consumers’ Ice Co., 73 NY 543, 546-547 [1878]; Restatement [Second] of Agency § 219, Comment a). The modern theory of respondeat superior gives the injured plaintiff a means to recover a remedy from well-insured employers and provides incentives for employers to hire careful employees (see Riviello v Waldron, 47 NY2d 297, 302 [1979]; Restatement [Third] of Agency § 2.04, Comment a). Nonetheless, the law limits the employer’s liability to acts “done while the servant was doing his master’s work, no matter how irregularly, or with what disregard of instructions”: acts done within the scope of employment (Riviello, 47 NY2d at 302 [citations omitted]). This limitation relieves an employer from liability for an employee’s torts when the employer neither benefits from the tortious conduct nor has the means to control the employee’s behavior.

Such limitations have no place in a negligence action against a medical corporation for disclosure of confidential medical records. As the majority notes, it is the medical corporation itself, not merely its employees, which owes the duty of confidentiality to the patient (see majority op at 485). New York’s public policy would be furthered by permitting a cause of action for breach of medical confidentiality, even in cases where an employee has acted outside the scope of employment, because patients must reveal medical data in order to obtain care from the medical corporation and the patient has no way of protecting against its unauthorized disclosure or means of controlling who has access to it.

Our decision in N.X. v Cabrini Med. Ctr. (97 NY2d 247 [2002]) recognized that a hospital owes a duty to keep patients safe, even from third parties and employees acting outside the scope of employment. In that case, a surgical resident sexually assaulted the plaintiff (id. at 249). We held that the hospital could not be held vicariously liable for the resident’s wrongdoing because he was acting outside the scope of his employment (id. at 251-252). However, that did not end the inquiry. We also held that “[a] hospital has a duty to safeguard the welfare of its patients, even from harm inflicted by third persons, measured by the capacity of the patient to provide for his or her own safety” (id. at 252) and limited “by those risks which are reasonably foreseeable” (id. at 253). In Cabrini, the hospital had an independent duty to prevent the employee who acted outside the scope of his employment from harming the plaintiff. Thus, the hospital could be liable for the breach of its duty through the inaction of its nursing staff in the face of obvious risks (see id. at 253-254). When a patient lays helpless in a hospital bed, entrusting his or her care to the hospital, the hospital has an independent duty to ensure his or her safety.

Similarly, a patient entrusts private medical information to the care of the medical corporation and its employees, over whom the patient has no control. The patient’s only surefire means to prevent accidental disclosure would be to forgo turning over the confidential information in the first place. This is not a realistic option because a patient cannot expect delivery of medical services without disclosing such data. Indeed, the medical profession encourages full disclosure by the patient of a comprehensive medical history (see AMA Code of Med Ethics Op 10.02 [2]). In order to receive treatment, a patient must reveal personal information; a patient withholds such data at his or her peril. Having turned over private information to ensure proper and adequate treatment, the patient is at the mercy of the medical corporation’s ability to protect its confidentiality. A hospital should owe a duty to keep a patient’s health information confidential, and a hospital should be directly liable for its own failure to prevent breaches of confidentiality by employees who act outside the scope of their employment.

In order to protect the patient’s privacy interests given the competing need to disclose, such a cause of action would provide a powerful incentive to medical corporations to implement protections against disclosures. Given the highly personal nature of medical data at risk of disclosure, the harm associated with dissemination of such sensitive private information, the ease with which employees of a medical corporation may access confidential data and disseminate it through the use of a commonly held and inexpensive device, a cellular telephone, and the inability of patients to protect themselves from employee misconduct, such an incentive furthers the State’s public policy in protecting the confidentiality of medical records.

The certified question should be answered in the affirmative.

Chief Judge Lippman and Judges Graffeo, Read, Smith and Abdus-Salaam concur with Judge Pigott; Judge Rivera dissents and votes to answer the certified question in the affirmative in an opinion.

Following certification of a question by the United States Court of Appeals for the Second Circuit and acceptance of the question by this Court pursuant to section 500.27 of this Court’s Rules of Practice, and after hearing argument by counsel for the parties and consideration of the briefs and record submitted, certified question answered in the negative. 
      
       Subjecting hospitals and other health care entities to strict liability for the acts of an employee that were not only unauthorized, but motivated entirely by personal reasons is contrary to well-established precedent (see N.X. v Cabrini Med. Ctr, 97 NY2d 247, 252-253 [2002]; Cornell v State of New York, 46 NY2d 1032 [1979]). While the dissent finds our holding too “narrow” (see dissenting op at 486), the dissent’s reasoning is flawed for the opposite reason; it is too broad. If the dissent’s view is taken to its logical conclusion, a medical provider may be held liable in negligence for any inadvertent disclosure by an employee. As an example, if a receptionist of a private physician discloses at a cocktail party that a patient was in to see the doctor for a particular ailment, perhaps unbeknownst to the patient’s family because he did not want to worry them, under the dissent’s rule, the medical corporation would be required to respond in damages for that disclosure.
     
      
       The majority believes that claims based on vicarious liability and sounding in negligence limited to conduct within the scope of employment provide sufficient relief for a patient whose private information is wrongfully disclosed (majority op at 485). As the instant case well illustrates, those causes of action alone are inadequate to remedy a breach of the duty to maintain the confidentiality of personal data, and they provide cold comfort to a patient whose personal data is disclosed due to the status of the employee and regardless of the actions of the employer that facilitated disclosure. Our legal system must be responsive to a health care service system with its attendant comprehensive data collection, supported by technological advances that are vulnerable to access.
     