-
JOURNAL ENTRY AND OPINION {¶ 1} Plaintiff-appellant, Janet L. Herman ("plaintiff"), appeals the trial court's granting joint motions for summary judgment1 filed by defendants-appellees, Dr. Richard Kratche and the Cleveland Clinic (the "Clinic"). For the reasons that follow, we affirm the trial court's decision granting summary judgment in favor of defendants on plaintiff's claim for intentional infliction of emotional distress; we reverse the trial court's decision that awarded summary judgment on plaintiff's remaining claims; and we affirm the trial court's judgment that denied defendants' motion for judgment on the pleadings.{¶ 2} In March 2003, plaintiff worked for Nestle USA, Inc., located in Solon, Ohio. In March and April 2003, plaintiff received non-work related medical examinations and/or testing at the Clinic. After three appointments, the Clinic forwarded plaintiff's records and other private medical information to the Human Resources Department at Nestle.
{¶ 3} Plaintiff received medical treatment from the Clinic on March 11, 2003. On that date, plaintiff was seen by Dr. Kratche for a physical examination. The written results of that examination were sent to Nestle.
{¶ 4} Thomas Atkinson, Administrator for the Clinic's Solon Family Health Center, explained that the March 11th records were sent to Nestle for "workers' comp coverage."2 (Atkinson Dep. 21.) After plaintiff complained to defendants about her records being sent to Nestle,3 Atkinson acknowledged the error and changed the records designation for the March 11th visit. The designation was moved from a workers' compensation claim to "Ms. Herman's personal family account with her medical coverage." (Atkinson Dep. 31.) Defendant does not dispute that plaintiff had independent medical coverage under United Healthcare at all times relevant to this case.
{¶ 5} Plaintiff returned to the Clinic on April 2, 2003 for a mammogram screening. The results and billing for that procedure were also designated as related to workers' compensation. The information was again forwarded to Nestle. Plaintiff returned to the Clinic for a diagnostic mammogram on April 10th. Again, those records were marked as workers' compensation and sent to Nestle. Atkinson acknowledged that all the records that were sent to Nestle from plaintiff's three visits in 2003 included protected private medical information that should never have been sent to Nestle.4 Plaintiff filed suit against defendants for unauthorized disclosure, invasion of privacy, and intentional infliction of emotional distress. Defendants filed a joint motion for summary judgment on all of plaintiff's claims. Without stating its reasons, the trial court granted defendants' motion.
{¶ 6} Plaintiff filed this timely appeal, in which she presents one assignment of error. The Clinic has also cross-appealed the trial court's denial of its earlier motion for judgment on the pleadings. First, we address plaintiff's sole assignment of error:
{¶ 7} "I. The trial court erred in granting defendants' motion for summary judgment."
{¶ 8} Plaintiff argues that the trial court erred in granting defendants' joint motion for summary judgment, because there remain genuine issues of material fact on each one of her claims.
{¶ 9} Pursuant to Civ.R. 56(C), summary judgment is proper where "(1) no genuine issue as to any material fact remains to be litigated; (2) the moving party is entitled to judgment as a matter of law; and (3) it appears from the evidence that reasonable minds can come to but one conclusion, and viewing such evidence most strongly in favor of the party against whom the motion for summary judgment is made, that conclusion is adverse to that party." Temple v. Wean United, Inc. (1977),
50 Ohio St. 2d 317 ,327 ,364 .{¶ 10} On appeal, this Court reviews a trial court's entry of summary judgment de novo. Mitnaul v. Fairmount PresbyterianChurch (2002),
149 Ohio App. 3d 769 ,2002-Ohio-5833 , ¶27 . "The movant possesses the burden of establishing that no genuine issue of material fact exists." Dresher v. Burt (1996),75 Ohio St. 3d 280 ,293 .{¶ 11} Once the movant satisfies its burden, the nonmoving party must then offer specific facts showing a genuine issue for trial. Id.; Civ.R. 56(E). The nonmoving party "must point to or submit some evidentiary material that shows a genuine dispute over the material facts exists." Henkle v. Henkle (1991),
75 Ohio App. 3d 732 ,735 .I. UNAUTHORIZED DISCLOSURE {¶ 12} One of plaintiff's claims here is that the Clinic is liable to her because it made an unauthorized disclosure of her personal health information to her employer.{¶ 13} "[I]n Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship." Biddle v.Warren Gen. Hosp.,
86 Ohio St. 3d 395 ,1999-Ohio-115 , syllabus. An unauthorized disclosure under Biddle is "the tort of breach of confidence." Id., 403. The only way to avoid liability for an unauthorized disclosure is for the hospital or other medical provider to obtain the patient's consent. Id., 406.{¶ 14} One of the first cases in Ohio to deal with the issue of an unauthorized disclosure by a physician is Hammonds v.Aetna Cas. Sur. Co. (N.D. Ohio, 1965),
243 F. Supp. 793 .Hammonds explains the purpose of physician-patient confidentiality as follows:{¶ 15} "A patient should be entitled to freely disclose his symptoms and condition to his doctor in order to receive proper treatment without fear that those facts may become public property. Only thus can the purpose of the relationship be fulfilled." Id., 799, quoting Hague v. Williams,
37 N.J. 328 ,181 A.2d 345 ,349 (1962).{¶ 16} As is evident in Biddle v. Warren General Hospital,
86 Ohio St. 3d 395 ,399 ,1999-Ohio-115 , a physician's breach of a patient's confidence in the form of an unauthorized disclosure of that patient's medical information is an independent tort separate and distinct from the tort of invading one's privacy.{¶ 17} Hammonds v. Aetna Cas. Sur. Co. (N.D. Ohio, 1965),
243 F. Supp. 793 , provides that an unauthorized patient disclosure by a physician or hospital constitutes a breach of their fiduciary duty.{¶ 18} "A claim of breach of a fiduciary duty is basically a claim of negligence, albeit involving a higher standard of care. And in negligence actions, we have long held that ``one seeking recovery must show the existence of a duty on the part of the one sued not to subject the former to the injury complained of, a failure to observe such duty, and an injury resulting proximately therefrom.'"
{¶ 19} Strock v. Pressnell (1988),
38 Ohio St. 3d 207 ,216 , quoting Stamper v. Parr-Ruckman Home Town Motor Sales (1971),25 Ohio St. 2d 1 ,3 .{¶ 20} There is no dispute that the Clinic, as plaintiff's medical provider, held a fiduciary position with plaintiff as its patient and had a duty to keep plaintiff's medical information confidential. There is also no doubt that the Clinic breached that duty.
{¶ 21} Plaintiff must next demonstrate that the Clinic's breach of its fiduciary duty was the proximate cause of her damages. See, for example, 382 Capital v. Corso (Dec. 28, 1999), Franklin App. No. 99AP-156; Anginoli v. Benenson CapitalCo. (Dec. 23, 1999), Hamilton App. No. C-980811.
{¶ 22} The Clinic argues that her employer was not a "third party," because it also held a duty of confidentiality to her. The Clinic concludes, therefore, that since no "third-party" read plaintiff's records and since the employer did not disclose the information contained in those records to anyone else, the Clinic is not the proximate cause of plaintiff's damages.
{¶ 23} The tortious conduct of an unprivileged disclosure occurs the moment the nonpublic medical information is disclosed to an unauthorized third-party. The tortious conduct of the Clinic does not depend on what the duties of the third party are or what the third party subsequently does with that information. Any duties the third party may have had do not transform it into an "authorized" party. The key is whether the receiving party is "authorized" to receive the record.
{¶ 24} Moreover, the Clinic is mistaken when it claims that no one at Nestle read plaintiff's records. To the contrary, the human resources person at Nestle returned these records to plaintiff because he had read enough of plaintiff's records to know that they did not have anything to do with plaintiff's employment and therefore returned the records to plaintiff.
{¶ 25} For the foregoing reasons, we conclude that the Clinic had a fiduciary duty to plaintiff, and the Clinic breached that duty when it sent plaintiff's non-work-related medical records to Nestle. Moreover, as soon as Nestle opened the records, the Clinic became the proximate cause of plaintiff's harm. This part of the Clinic's argument fails.
{¶ 26} In its motion for summary judgment, the Clinic further argues that it is not liable for its unauthorized disclosures because Nestle owed plaintiff the same duty of confidentiality under the Health Insurance Portability and Accountability Act of 1996,
42 U.S.C.S. § 1320d-1 et seq. ("HIPAA")5 as the Clinic did. The Clinic argues that since it and Nestle both occupy the same "circle of confidentiality" under HIPAA, the Clinic did not make an unauthorized disclosure.{¶ 27} In 1996, Congress enacted HIPAA. One of HIPAA's purposes is to protect the privacy of an individual's personal health information ("PHI").
42 U.S.C.A. § 1320d-2 (d)(2)(A); seeSmith v. Am. Home Prods. Corp. Wyeth-Ayerst Pharm., (2003),372 N.J. Super. 105 ,855 A.2d 608 . Under HIPAA, "covered entities," including (1) health plans; (2) health care clearinghouses; and (3) health care providers, are required to follow specific regulations (45 CFR §§ 160-164) relating to the collection, use, or disclosure of an individual's personal health information. Generally, a covered entity may not disclose health information of persons without their consent.45 CFR § 164.508 (a); see45 C.F.R. § 160.103 ; § 164.501.6{¶ 28} "PHI" includes any information about an individual that "(1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
45 C.F.R. § 160.103 . As stated in Smith:{¶ 29} "The Privacy Rule prohibits covered entities from using or disclosing PHI in any form oral, written or electronic, except as permitted under the Privacy Rule.
45 C.F.R. § 164.502 (a). ``Use' and ``disclosure' are defined very broadly.45 C.F.R. § 164.501 . ``Use' includes an examination of PHI; ``disclosure' includes divulging or providing access to PHI. The Privacy Rule is also centered on the concept that, when using PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the ``minimum necessary' to accomplish the intended purpose of the use, disclosure or request.45 C.F.R. § 164.508 . In other words, even if a use or disclosure of PHI is permitted, covered entities must make reasonable efforts to disclose only the minimum necessary to achieve the purpose for which it is being used or disclosed. The ``minimum necessary' standard was implemented to prevent improper disclosure of PHI, yet to be flexible when a patient waives his or her privacy privilege for confidential medical information.{¶ 30} "* * *
{¶ 31} "[U]nder the HIPAA regulations as presently promulgated, only the minimum necessary amount of information consistent with the stated purpose is to be disclosed. Any further information, whether collateral or marginal, is prohibited." Id., 112-120.
{¶ 32} The Clinic argues that since it and Nestle share the same duty of confidentiality, the Clinic could not have made an unauthorized disclosure. When Nestle received plaintiff's information from the Clinic, Nestle would be bound by its own duty of confidentiality to not disclose that medical information. According to the Clinic, "an employer receiving an employee's medical records is part of the same circle of confidentiality7 that encompasses the medical provider responsible for sending the records in the first place." (Defendants' motion for summary judgment, 9).
{¶ 33} First, neither HIPAA nor the regulations that accompany it mention anything about a "circle of confidentiality." Second, because Nestle does not meet the definition of a "health plan," "healthcare clearinghouse," or "healthcare provider," we conclude Nestle is not a covered entity under HIPAA.
45 C.F.R. § 160.103 . Therefore, Nestle cannot possibly be "part of the same circle of confidentiality" as the Clinic.{¶ 34} The Clinic sent plaintiff's medical information to Nestle under the mistaken belief that her visits were related to workers' compensation claims from 1993 as a Nestle employee. HIPAA permits a covered entity to disclose an individual's personal health information to an employer for workers' compensation purposes without consent.
45 C.F.R. § 164.512 (l);Rigaud v. Garofalo, 2005 U.S. Dist. LEXIS 8735, (E.D. Pa., May 2, 2005), *6. However, when a covered entity makes a disclosure, it must be for a purpose stated under HIPAA and its regulations. See45 C.F.R. 164.502 ; see, also,45 C.F.R. 164.506 . The Clinic does not cite nor do we find any authority for an inadvertent disclosure under HIPAA.{¶ 35} The three cases8 the Clinic believes support its argument about a "circle of confidentiality" are not instructive in resolving this issue, since all three were decided years before the 1996 enactment of HIPAA. Accordingly, we have determined that HIPAA does not offer the Clinic any protection for the disclosures it made.
{¶ 36} The Clinic additionally argues that plaintiff consented to having her medical information disclosed to Nestle. According to the Clinic, when plaintiff executed a consent form relating to its "Notice of Privacy Practices," she acknowledged that her medical information "for purposes of processing payment" would be sent to Nestle. The "Notice of Privacy Practices" provides in part as follows:
{¶ 37} "As described above, we will use your health information and disclose it outside CCHS for treatment, payment, health care operations, and when permitted or required by law. We will not use or disclose your health information for other reasons without your written authorization."
{¶ 38} While the document authorizes the Clinic to release plaintiff's medical information for purposes of payment, that is not what occurred here. The Clinic does not dispute that plaintiff's bills should have been sent to United Healthcare for payment, not Nestle. There is nothing in the Clinic's notice document that authorized the release of plaintiff's medical information to the wrong payor, whether accidentally or not.
{¶ 39} When it mistakenly forwarded plaintiff's personal health information to Nestle, the Clinic exceeded the scope of plaintiff's authorization. Accordingly, plaintiff did not consent to having her non-employment related medical information sent to Nestle.
II. INVASION OF PRIVACY {¶ 40} In its motion for summary judgment, the Clinic also argued that it did not tortiously invade plaintiff's privacy9 by disclosing her confidential medical information.{¶ 41} Ohio recognizes the tort of negligent invasion of the right of privacy. Prince v. St. Francis-St. George Hospital,Inc. (1985),
20 Ohio App. 3d 4 ,7 , citing Housh v. Peth (1956),165 Ohio St. 35 . "An actionable invasion of the right of privacy is the unwarranted appropriation or exploitation of one's personality, the publicizing of one's private affairs with which the public has no legitimate concern, or the wrongful intrusion into one's private activities in such a manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities." Prince, *8, citing Housh, syllabus.{¶ 42} In the case at bar, the Clinic generally argues that plaintiff has not proven that she suffered the type of damages required to prove an invasion of her privacy.
{¶ 43} We have already determined that the Clinic made an unauthorized disclosure of plaintiff's personal health information to Nestle. When it mistakenly mailed plaintiff's information to Nestle, the Clinic wrongfully intruded into plaintiff's private life.
{¶ 44} When plaintiff realized that people at Nestle learned of her medical diagnosis and were given access to her personal gynecological information, she was embarrassed, angry, and emotionally distraught, and she felt an on-going anxiety about her privacy.
{¶ 45} From this record, there remain genuine issues of material fact as to whether a rational trier-of-fact would conclude that the Clinic's wrongful intrusion into plaintiff's private health information would cause a person of ordinary sensibilities outrage, mental suffering, shame, or humiliation. Accordingly, granting summary judgment to the Clinic was not appropriate.
III. INTENTIONAL INFLICTION OF EMOTIONAL DISTRESS {¶ 46} Plaintiff argues further that the Clinic's actions constitute the intentional infliction of emotional distress.{¶ 47} "A claim for intentional infliction of emotional distress required plaintiff to show that (1) defendant intended to cause emotional distress, or knew or should have known that actions taken would result in serious emotional distress; (2) defendant's conduct was extreme and outrageous; (3) defendant's action proximately caused plaintiff's psychic injury; and (4) the mental anguish plaintiff suffered was serious." Mitnaul, ¶ 62, citing Yeager v. Local Union 20 (1983),
6 Ohio St. 3d 369 , syllabus.{¶ 48} "Serious emotional distress requires an emotional injury which is both severe and debilitating." Motley v. FlowersVersagi Court Reporters (Dec. 11, 1997), Cuyahoga App. No. 72069, citing Paugh v. Hanks (1983),
6 Ohio St. 3d 72 . To prove "severe and debilitating emotional injury," a plaintiff "must present some guarantee of genuineness in support of his or her claim, such as expert evidence, to prevent summary judgment in favor of the defendant." Id., citing Knief v. Minnich (1995),103 Ohio App. 3d 103 . "In lieu of or in addition to expert testimony, a plaintiff may submit the testimony of lay witnesses acquainted with the plaintiff who have observed significant changes in the emotional or habitual makeup of the plaintiff." Id., citing Uebelacker v. Cincorn Systems, Inc. (1988),48 Ohio App. 3d 268 .{¶ 49} Plaintiff has alleged that she suffered embarrassment, anger, and on-going emotional anxiety about her privacy after the Clinic's unauthorized disclosure. Plaintiff, however, submitted only her own testimony in support of her alleged severe and debilitating injuries. Accordingly, she failed to present "some guarantee of genuineness" through expert testimony or lay witness testimony as required by law in order to withstand defendants' motion for summary judgment on this claim. The trial court did not err in granting the Clinic's motion for summary judgment on plaintiff's claim for intentional infliction of emotional distress.
{¶ 50} For the foregoing reasons, we sustain plaintiff's sole assignment of error in part and overrule it in part. The trial court erred in granting the Clinic's motion for summary judgment on plaintiff's claims for unauthorized disclosure and invasion of privacy but correctly granted judgment in favor of defendants on plaintiff's claim for intentional infliction of emotional distress.
{¶ 51} In the Clinic's cross-appeal, the cross-assignment of error states as follows:
{¶ 52} "I. The trial court erred in denying the motion for judgment on the pleadings of defendants Dr. Richard Kratchie and Cleveland Clinic Health Systems."
{¶ 53} The Clinic argues that plaintiff's claim for unauthorized disclosure constitutes a "medical claim" under the one-year statute of limitations set forth in R.C.
2305.11 .{¶ 54} R.C.
2305.11 (D)(3) provides as follows:{¶ 55} "``Medical claim' means any claim that is asserted in any civil action against a physician * * * and that arises out of the medical diagnosis, care, or treatment of any person. ``Medical claim' includes derivative claims for relief that arise from the medical diagnosis, care, or treatment of a person."
{¶ 56} In Allinder v. Mt. Carmel Health (Feb. 17, 1994), Franklin App. No. 93AP-156, a patient alleged that her psychiatrist breached his duty to maintain physician-patient confidentiality when he disclosed confidential medical information to her employer. Id.
{¶ 57} On appeal, the court in Allinder found that plaintiff's cause of action did not relate to medical diagnosis, treatment, or care provided by the psychiatrist. Thus, the court concluded that the patient's claim for unauthorized disclosure by the psychiatrist did not constitute a medical claim as that term is defined in R.C.
2305.11 . Id.{¶ 58} In accordance with Allinder, the Clinic's unauthorized disclosure of her confidential medical information is not related to an act of medical diagnosis, treatment, or care. The Clinic's cross-assignment of error is, therefore, overruled.
Judgment affirmed in part; reversed in part and remanded. Cross-appeal affirmed.
It is ordered that appellant and appellees share equally their costs herein taxed.
The court finds there were reasonable grounds for this appeal.
It is ordered that a special mandate issue out of this Court directing the Common Pleas Court to carry this judgment into execution.
A certified copy of this entry shall constitute the mandate pursuant to Rule 27 of the Rules of Appellate Procedure.
Karpinski, J., and Kilbane, J., Concur.
1 Dr. Kratche is not part of this appeal, because plaintiff voluntarily dismissed him on June 14, 2005, after the trial court granted him summary judgment. 2 It is undisputed that Nestle was a self-insured entity at the time of the events alleged in this case. 3 Plaintiff registered her complaint during a visit to the Solon facility on March 27, 2003. 4 In fact, the Clinic sent plaintiff's personal medical records to her employer on four separate occasions regarding the three visits. (Atkinson Dep. 25; Herman Dep. 53-59). 5 HIPAA is codified in various sections of 18 U.S.C.A., 26 U.S.C.A., 29 U.S.C.A., and 42 U.S.C.A. 6 Under 45 C.F.R. § 164.501 , "PHI," in part, includes information relating to an individual's past, present, or future physical or mental health or condition.7 The phrase "circle of confidentiality" appears in Biddle, supra at 403, and refers to a "closed loop" of persons bound by a duty of confidentiality. 8 Neal v. Corning Glass Works Corp. (S.D. Ohio 1989), 745 F. Supp. 1294 ; Miller v. Motorola (Ill.App. 1990),202 Ill. App. 3d 976 ; and Young v. Jackson (Miss. 1990),572 So. 2d 378 .9 We do not agree with the Clinic's position that both torts, "unauthorized disclosure" and "invasion of privacy," are subsumed under the single umbrella of "breach of confidence." The two wrongs are separate and distinct torts. See discussion infra.
Document Info
Docket Number: No. 86697.
Judges: JAMES J. SWEENEY, P.J.:
Filed Date: 11/9/2006
Precedential Status: Non-Precedential
Modified Date: 4/18/2021