Sheldon v. Kettering Health Network , 2015 Ohio 3268 ( 2015 )

[Cite as Sheldon v. Kettering Health Network, 2015-Ohio-3268.]
IN THE COURT OF APPEALS OF OHIO
SECOND APPELLATE DISTRICT
MONTGOMERY COUNTY
VICKI SHELDON, et al.                         :
:    Appellate Case No. 26432
Plaintiff-Appellants                   :
:    Trial Court Case No. 14-CV-3304
v.                                            :
:    (Civil Appeal from
KETTERING HEALTH                              :     Common Pleas Court)
NETWORK, et al.                               :
:
Defendants-Appellees                  :
...........
OPINION
Rendered on the 14th day of August, 2015.
...........
ROBERT F. CROSKERY, Atty. Reg. No. 0064802, Croskery Law Offices, 810 Sycamore
Street, 2nd Floor, Cincinnati, Ohio 45202
Attorney for Plaintiffs-Appellants, Vicki Sheldon, T.D., and Haley Dercola
DOREEN CANTON, Atty. Reg. No. 0040394, and EVAN T. PRIESTLE, Atty. Reg. No.
0089889, Taft Stettinius & Hollister LLP, 425 Walnut Street, Suite 1800, Cincinnati, Ohio
45202-3957
Attorneys for Defendant-Appellee, Kettering Adventist Healthcare
J. STEVEN JUSTICE, Atty. Reg. No. 0063719, and GLEN McMURRY, Atty. Reg. No.
82600, 210 West Main Street, Troy, Ohio 45373
Attorneys for Defendant-Appellee, Duane Sheldon
.............
-2-
HALL, J.
{¶ 1} Plaintiffs-appellants Vicki Sheldon and Haley Dercola appeal from the trial
court’s Civ.R. 12(B)(6) dismissal of their complaint against defendant-appellee Kettering
Adventist Healthcare d/b/a Kettering Health Network (“KHN”).1 The complaint alleged
common-law tort claims for invasion of privacy, negligence, negligence per se, negligent
training, negligent supervision, intentional infliction of emotional distress, and breach of
fiduciary duty.2 The claims stemmed from KHN’s alleged failure to protect the privacy of
the plaintiffs’ electronic medical information and the improper accessing and disclosure of
that information by KHN administrator Duane Sheldon, the former spouse of Vicki
Sheldon.
{¶ 2} KHN responded to the complaint by seeking dismissal under Civ.R. 12(B)(6).
In support, KHN argued that each of the tort claims was based on alleged violations of the
federal Health Insurance Portability and Accountability Act (“HIPAA”). KHN noted that
HIPAA did not provide a private right of action to enforce its terms. Therefore, KHN
reasoned that the plaintiffs could not assert common-law tort claims essentially alleging
HIPAA violations. KHN argued that the “[p]laintiffs should not be permitted to circumvent
the bar on private enforcement of HIPAA violations by merely masking alleged HIPAA
1
Dercola filed suit in her own name and as parent and legal guardian of her minor child,
T.D. In addition to KHN, the complaint named Sheldon’s former husband, Duane
Sheldon, as a defendant. The claims against Duane Sheldon were voluntarily dismissed,
however, after the trial court granted KHN’s Civ.R. 12(B)(6) motion.
2
The complaint also alleged violations of the Fair Credit Reporting Act and the Fair Debt
Collection Practices Act. Those claims were voluntarily dismissed below and are not at
issue on appeal.
-3-
violations as common-law torts.” (Doc. #14 at 9). Alternatively, KHN argued that the
plaintiffs had failed to plead facts establishing the elements for their alleged claims for
invasion of privacy, negligent training, negligent supervision, and intentional infliction of
emotional distress. The plaintiffs responded by arguing, among other things, that nothing
prohibited them from “pursuing common law claims based on violations of their privacy
just because such claims overlap with HIPAA violations.” (Doc. #18 at 2). They also
asserted that their tort claims had been pled sufficiently. (Id. at 8-13). The plaintiffs
additionally moved for leave to file a first amended complaint, seeking to clarify that they
were alleging tortious conduct apart from HIPAA. (Doc. #27).
{¶ 3} The trial court sustained KHN’s Civ.R. 12(B)(6) motion in an October 21,
2014 decision and entry. (Doc. #32). After reviewing the plaintiffs’ complaint, the trial court
concluded that each of their tort claims was based on an alleged HIPAA violation.
Because HIPAA does not provide a private right of action, the trial court concluded that
the plaintiffs could not state a claim for relief. (Id.). The decision did not address KMH’s
alternative arguments to dismiss some of plaintiff’s claims. The trial court’s ruling also did
not explicitly address the plaintiffs’ motion for leave to amend their complaint. The trial
court subsequently dismissed that motion, as moot, based on its sustaining of KHN’s
Civ.R. 12(B)(6) motion.
{¶ 4} In their first assignment of error, the plaintiffs contend the trial court erred in
dismissing their common-law claims against KHN. While conceding that HIPAA itself
does not provide a private right of action to enforce its terms, the plaintiffs insist that the
statute also does not preclude their common-law tort claims, which, they argue, point to
HIPAA and other sources for a standard of care. In response, KHN argues, as it did
-4-
below, that the plaintiffs cannot maintain common-law tort claims based on, and resulting
from, alleged HIPAA violations. In a second assignment of error, the plaintiffs contend the
trial court erred in not allowing them to amend their complaint to make clear that they were
not seeking recovery under HIPAA and that they were relying on the statute, at most, to
establish a standard of care.
{¶ 5} We begin our review with the standards applicable to a Civ.R. 12(B)(6)
motion. A motion to dismiss a complaint for failure to state a claim upon which relief can
be granted, pursuant to Civ.R.12(B)(6), tests the sufficiency of a complaint. For a
defendant to prevail, it must appear beyond doubt from the complaint that the plaintiff can
prove no set of facts entitling him to relief. O’Brien v. University Community Tenants
Union, Inc., 

, 245, 

(1975). A court must construe the
complaint in the light most favorable to the plaintiff, presume all of the factual allegations
to be true, and make all reasonable inferences in the plaintiff’s favor. Mitchell v. Lawson
Milk Co., 

, 192, 

(1988). We conduct a de novo review of
a dismissal under Civ.R. 12(B)(6). Grover v. Bartsch, 

,
2006-Ohio-6115, 

, ¶ 16 (2d Dist.).
{¶ 6} With the foregoing standards in mind, we turn to the complaint in this case. It
contains the following factual allegations:
6. Defendant KHN uses a system of software for storing, maintaining,
accessing, and protecting electronic medical information. The system is
known as “EPIC.” When properly used, the system protects medical
information from being accessed by unapproved personnel to comply with
the federal law Health Insurance Portability and Accountability Act,
-5-
otherwise known as “HIPAA.”
7. The “EPIC” System uses reports to ensure that electronic medical
information is safely protected and remains private. Through a series of
reports, known as “CLARITY” reports, the hospital or authorized medical
information custodian has the ability to ensure that records are not being
improperly accessed through, but not limited to, the following reports: * * *
[The complaint lists numerous different types of reports that allegedly can
be produced to help detect possible security or privacy breaches]. The
cumulative effect of the regular running and monitoring of these Epic Clarity
reports is to detect and deter improper access. When routinely run and
monitored, the Epic Clarity reports provide early detection of privacy
breaches of EHRs.
8. Under the HIPAA Security Rule, a covered entity must identify and
analyze potential risks to electronic private health information, and it must
implement security measures that reduce risks and vulnerabilities to a
reasonable level. Epic reports should be run and reviewed on a consistent
and recurring basis, no less than monthly, and preferably weekly, in order to
adequately monitor, ensure and protect the privacy of health information to
meet the HIPAA Risk Analysis and Management Process. When used
properly and effectively, EPIC Software and CLARITY Reports provide
auditing and monitoring protection for electronic health information.
9. Defendant D. SHELDON, an administrator for KPN under the KHN, had
access to the EPIC system but was not authorized to access the health
-6-
records of the Plaintiffs. Defendant D. Sheldon improperly accessed the
health records of Plaintiffs on multiple occasions over a period of at least 15
months, as Defendant KHN failed to take reasonable steps under EPIC and
CLARITY to detect his unauthorized access or otherwise to protect such
information.
10. Duane Sheldon, as administrator, commenced at least one extramarital
affair with certain others in the Kettering Health Network. In order to
enhance his affair, Duane Sheldon improperly accessed extremely
sensitive medical information belonging to Vicki Sheldon, and shared such
information with his paramour, who is an employee of KPN who reported to
D. Sheldon.
11. In addition, upon information and belief, Duane Sheldon and other
parties in his department created one or more fictitious names that do not
represent real parties or real users of health information to improperly
access protected health information.
12. These fictitious names accessed Plaintiffs’ protected health information.
13. In addition, there were significant other breach incidents by D.
SHELDON and his accomplices of Vicki Sheldon’s protected health
information, and also to the protected health information of H. DERCOLA
and [T.D.].
14. The breach of such information would have been prevented (or greatly
minimized) had Defendant KHN been taking the reasonable and normal
steps to protect Plaintiff’s health information by running weekly or at least
-7-
monthly EPIC CLARITY reports, and monitoring those reports.
15. Defendant KHN eventually revealed to Plaintiffs that there had been
multiple breaches of their private and protected health information, in
violation of the Health Information Technology for Economic and Clinical
Health Act (“the HITECH Act”) however, when Plaintiffs requested proper
information from the “EPIC” and “CLARITY” reports to examine the nature
of the actual breaches, KHN refused to provide them. In fact, Plaintiffs,
through counsel, on multiple occasions asked for copies of the “EPIC”
reports, by name, that would have shown the exact nature of the privacy
breaches, and Defendant refused to provide them and/or stated that such
reports did not exist.
16. Instead, Defendant Kettering Health Network provided a “Homegrown”
Report (a report designed by KHN employees to control what information to
provide) that is inadequate, and then proceeded to provide false and
malicious information regarding the parties that are listed on the
“Homegrown” Report.
(Doc. #1 at 2-5).3
{¶ 7} In short, paragraphs six through eight provide background factual
information about KHN’s use of the EPIC system and CLARITY reports to comply with
HIPAA’s security rule regarding the protection of electronic health information and the
detection of breaches. Paragraph nine alleges that KHN administrator Duane Sheldon
3
Although the complaint contains two additional paragraphs of factual allegations after
paragraph sixteen, those allegations involve other causes of action that the plaintiffs
voluntarily dismissed below.
-8-
gained unauthorized access to plaintiffs’ health records due to KHN’s failure to take
reasonable steps, under EPIC and CLARITY, to protect the information or detect his
actions. Paragraph ten alleges that the information he “improperly accessed” was shared
with a subordinate KHN employee with whom he was having an affair. Paragraphs eleven
and twelve allege that he and others created “fictitious names that do not represent real
parties,” which were used to improperly access health information. Paragraph thirteen
alleges other breaches of plaintiffs’ health information by Duane Sheldon. Paragraph
fourteen alleges that the breaches would have been prevented or minimized if KHN had
taken reasonable steps to protect the information by running and monitoring CLARITY
reports. Paragraph fifteen alleges that KHN eventually disclosed the breaches to the
plaintiffs but refused to provide them with pertinent CLARITY reports. Paragraph fifteen
also mentions “the HITECH Act,” which amended HIPAA in 2009. Paragraph sixteen
alleges that KHN provided the plaintiffs with a different, inadequate report prepared by
KHN employees that contained false and malicious information.
{¶ 8} We discern at least two types of tortious activity alleged by the plaintiffs: (1)
Duane Sheldon’s intentional improper accessing and sharing of their health information
and (2) KHN’s alleged failure to take reasonable steps to protect that information and to
detect Duane Sheldon’s breaches. We note that the factual allegations about Duane
Sheldon’s conduct do not necessarily appear to depend on an alleged HIPAA violation.
The statute is invoked only in connection with the plaintiffs’ factual allegations about KHN
failing to take reasonable steps to protect their health information and to detect his
breaches. In particular, the plaintiffs allege that KHN failed to regularly run and monitor
CLARITY reports, which they allege was required by HIPAA.
-9-
{¶ 9} Based on the foregoing allegations, the plaintiffs argue they asserted
common-law causes of action against Duane Sheldon individually for invasion of privacy,
negligence, intentional infliction of emotional distress, and breach of fiduciary duty. We
agree with the trial court that the complaint fairly can be read as alleging common-law
claims against Duane Sheldon for improperly accessing and sharing the plaintiffs’ health
information, regardless of HIPAA’s prohibition to the contrary. The trial court reached the
same conclusion in an October 21, 2014 decision and entry denying Duane Sheldon’s
Civ.R. 12(B)(6) motion to dismiss.4 (Doc. #34).
{¶ 10} An important issue for purposes of KHN’s appeal is whether the plaintiffs
are seeking to hold KHN liable on a respondeat-superior basis for Duane Sheldon’s
allegedly tortious actions. Although the original complaint is perhaps unclear, the plaintiffs
clarified the uncertainty in their proposed amended complaint that they filed before the
trial court granted KHN’s Civ.R. 12(B)(6) motion. Therein, the plaintiffs proposed to allege
that Duane Sheldon was a high-ranking administrator for KHN and added the allegation
that “KHN is responsible for Defendant D. SHELDON’s actions on the grounds of
respondeat superior, as his access of the health information, although improper, was
within the scope of his duties as a high level administrator at KHN.” (Doc. #27, Plaintiffs’
proposed first amended complaint at ¶ 20). We therefore generously construe the original
complaint to mean that plaintiffs in fact are attempting to hold KHN vicariously liable for
Duane Sheldon’s actions, which allegedly constituted several torts. Consequently we
4
We recognize that the plaintiffs voluntarily dismissed their claims against Duane
Sheldon after the trial court granted KHN’s Civ.R. 12(B)(6) motion. We nevertheless find a
discussion of those claims pertinent to our analysis of KHN’s Civ.R. 12(B)(6) motion and
the plaintiffs’ motion for leave to amend their complaint.
-10-
must determine whether the allegation of respondeat-superior liability could survive
dismissal under Civ.R. 12(B)(6). If so, the trial court should either have so construed the
original complaint or permitted the plaintiffs’ proposed amendment in that regard.
{¶ 11} The existing complaint alleges that Duane Sheldon, a KHN administrator,
“was not authorized to access the health records of the Plaintiffs” and KHN failed to
“detect his unauthorized access” (Complaint at ¶ 9). It also alleges that “Duane Sheldon
improperly accessed extremely sensitive medical information” (

10) and shared
that information with another KHN employee. He did this by creating “one or more
fictitious names * * * to improperly access protected health information.” (

11). The
complaint alleges that Sheldon’s actions were “malicious and reckless.” (

22). The
proposed amended complaint, which expands on the respondeat superior allegation,
contains the same language as in the original and additionally alleges that Duane
Sheldon violated the plaintiffs’ privacy by “wrongfully intruding into [plaintiffs’] records and
wrongfully publishing such information to third parties.” (Proposed Amended Comp. at ¶
22). The plaintiffs’ clarification also alleges that “his access of the health information,
although improper, was within the scope of his duties as a high level administrator at
KHN.” (

20).
{¶ 12} “It is well-established that in order for an employer to be liable under the
doctrine of respondeat superior, the tort of the employee must be committed within the
scope of employment. Moreover, where the tort is intentional * * * the behavior giving rise
to the tort must be ‘calculated to facilitate or promote the business for which the servant
was employed * * *.’” Byrd v. Faber, 

, 58, 

(1991), quoting
Little Miami R.R. Co. v. Wetmore, 

, 132 (1869). An intentional and willful
-11-
act committed by an employee “to vent his own spleen or malevolence against the injured
person,   is   a   clear departure    from   his   employment” and      will   not   support
respondeat-superior liability. 

In Byrd, the Ohio Supreme Court found Civ.R.
12(B)(6) dismissal appropriate where the plaintiff attempted to use respondeat superior to
hold a religious organization liable for a sexual assault by a pastor against a parishioner.
{¶ 13} We reach the same conclusion here, where the complaint alleges that
Duane Sheldon intentionally and improperly gained unauthorized access to the plaintiffs’
health records for personal reasons in furtherance of an affair. Even construing the
complaint, or the proposed amended complaint, most strongly in the plaintiffs’ favor, they
can prove no set of facts entitling them to relief against KHN on a respondeat-superior
basis for Duane Sheldon’s alleged behavior. As a result, KHN was entitled to dismissal
under Civ.R. 12(B)(6) insofar as the plaintiffs sought to hold KHN vicariously liable for
Duane Sheldon’s improper accessing and sharing of their health information, and the trial
court did not err in refusing to allow the plaintiffs to amend their complaint to make the
respondeat-superior theory more clear.
{¶ 14} We note that a court of appeals in our neighbor state of Indiana has reached
an apparent contrary conclusion. In Walgreen Co. v. Hinchy, 

(Ind. Ct. Appl.
2014), Audra Withers was a Walgreen’s pharmacist who was involved in a relationship
with plaintiff Hinchy’s former boyfriend. Withers accessed Hinchy’s prescription profile to
find any information about plaintiff’s potential STD. The boyfriend, to whom the accessed
private information was apparently disclosed, contacted Hinchy a few days later claiming
he had a print out of her drug information. A jury awarded $1.8 million in damages and
determined Walgreen’s and Withers were 80 percent responsible. Upon review, the court
-12-
of appeals cited portions of the Restatement (Third) of Agency, § 7.07 (2006), including
that “[a]n employee’s act is not within the scope of employment when it occurs within an
independent course of conduct not intended by the employee to serve any purpose of the
employer.” 

707(2). It also referred to Ingram v. City of Indianapolis, 

(Ind.Ct.App.2001), for the proposition that when some of the employee’s acts are of
the same nature as those authorized by the employer and some not, whether the
employee is acting within the scope of employment is a question of fact to be determined
by the jury. The court concluded that whether “Withers was acting in the scope of her
employment was properly determined by the jury rather than as a matter of law by the trial
court.” Hinchy at 108.
{¶ 15} We do not believe Ohio law is so generous. We have previously said “a
servant’s conduct is within the scope of his employment if it is of the kind which he is
employed to perform, occurs substantially within the authorized limits of time and space,
and is actuated, at least in part, by a purpose to serve the master.” Cooke v. Montgomery
Cty., 

, 2004-Ohio-3780, 

, ¶ 20 (2d Dist.). The
“purpose to serve the master” ingredient has been used by several other Ohio courts of
appeal. The Ohio Supreme Court’s formulation of the requirement is that “an employer is
not liable for independent self-serving acts of his employees which in no way facilitate or
promote his business.” Byrd at 59. This purpose-to-serve-the-master aspect does not
appear in Indiana discussions of their analysis of scope of employment. Here, however,
the undisputed facts for purposes of KHN’s motion are as alleged in the complaint about
Duane Sheldon’s “unauthorized” and “improper” access of health information by the
creation of “fictitious names,” and his “shar[ing] such information with his paramour” “in
-13-
order to enhance his affair.” We see no part of that activity that has a purpose to serve
KHN. Accordingly, under Ohio law, Sheldon was not acting within the scope of
employment and, therefore, the plaintiffs can prove no set of facts entitling them to relief
on a respondeat-superior claim.5
{¶ 16} We turn now to the factual allegations in the complaint regarding KHN’s
own failure to take reasonable steps, as alleged to be required under HIPAA, to protect
the plaintiffs’ health information and to detect Duane Sheldon’s breaches. As noted
above, the plaintiffs’ allegations are grounded in the notion that KHN failed to regularly
run and monitor the EPIC system CLARITY reports in violation of HIPAA. According to the
complaint, “the system protects medical information from being accessed by unapproved
personnel to comply with the federal law * * * known as ‘HIPAA.’” (Doc. #1 at ¶ 6). “[T]he
cumulative effect of the regular running of these Epic Clarity reports is to detect and deter
improper access.” (

7). “Epic reports should be run and reviewed on a consistent
and recurring basis * * * to meet the HIPAA Risk Analysis and Management Process.” (

8).
{¶ 17} Based on the plaintiffs’ own specifically-titled headings of the complaint’s
stated causes of action, they intended to assert common-law causes of action against
5
We note that the proposed amended complaint alleges that “KNH is responsible for
Defendant D. Sheldon’s actions on the ground of respondeat superior, as his access of
the health information, although improper, was within the scope of his duties as a high
level administrator at KHN.” (Proposed Amended Comp. at ¶ 20). We make two
observations in response. First, “[u]nsupported conclusions of a complaint are not
considered admitted * * * and are not sufficient to withstand a motion to dismiss.” State ex
rel. Hickman v. Capots, 

, 

(1989). Thus, alleging the
conclusion that his access to records was within the scope of his duties does not
contradict the numerous factual allegations that his access to these records was
unauthorized and improper. Second, the fact that Duane Sheldon’s position may have
entailed access to all the records of the entire hospital does not make his access of his
ex-wife’s records an authorized intrusion within the scope of employment.
-14-
KHN for invasion of privacy, negligence, negligence per se, negligent training, negligent
supervision, intentional infliction of emotional distress, and breach of fiduciary duty. The
trial court found these claims subject to Civ.R. 12(B)(6) dismissal because they all
essentially alleged violations of HIPAA, or were “HIPAA based,” and the statute does not
provide a private right of action. (Doc. #32 at 4-5).
{¶ 18} As a preliminary matter, it is beyond dispute that HIPAA itself does not
create an express or implied private right of action for violations of its provisions. See,
e.g., Acara v. Banks, 

, 571 (5th Cir.2006). The cases supporting this holding
are legion, and the plaintiffs agree HIPAA provides no private action. Despite the fact that
plaintiffs argue that they have asserted common-law claims and not a statutory HIPAA
claim, unquestionably the complaint is grounded in the notion that KHN’s actions were
wrongful because they failed to take steps, consistent with HIPAA, that would have
prevented or reduced the risk of disclosure. Nevertheless, at this stage of the litigation we
are required to interpret the complaint broadly to determine whether the allegations assert
common-law tort claims independent from HIPAA. Thus, the absence of a private right of
action under HIPAA does not necessarily resolve the issues before us. For that reason,
we find some of the case law cited by KHN to be of little assistance. The Ohio case law
upon which KHN relies does not decide whether a plaintiff can bring a common-law tort
claim that might also involve a HIPAA violation for which no private statutory right of
action exists. KHN cites OhioHealth Corp. v. Ryan, 10th Dist. Franklin No. 10AP-937,
2012-Ohio-60, which states: “HIPAA does not allow a private cause of action, according
to Ohio law.” 

18, citing Henry v. Ohio Victims of Crime Compensation Program,
S.D.Ohio No. 2:07–cv–0052, 

(Feb. 28, 2007); see also Shepherd v.
-15-
Sheldon, N.D.Ohio No. 1:11 CV 127, 

(July 21, 2011); Siegler v. Ohio
State Univ., S.D.Ohio No. 2:11–cv–170, 

(May 23, 2011); and Wood v.
Byer, N.D.Ohio No. 5:06CV137, 

(Aug. 9, 2006).
{¶ 19} The Ohio federal cases cited in OhioHealth Corp. v. Ryan stand for the
undisputed proposition that Congress did not create a private, statutory right of action to
enforce HIPAA’s terms.6 KHN also cites Boddie v. Van Steyn, 10th Dist. Franklin No.
13AP-623, 2014-Ohio-1069. The only cause of action at issue there was a recognized tort
claim for breach of physician-patient confidentiality. The Tenth District held that the claim
failed for reasons having nothing to do with HIPAA, which was mentioned in passing in
the final paragraph.
{¶ 20} Contrary to the language in OhioHealth Corp. v. Ryan upon which KHN
relies, we find it imprecise to say that HIPAA “does not allow a private cause of action.”
What we should determine is whether HIPAA prohibits common-law tort claims based on
the wrongful release of confidential medical information unrelated to and independent
from HIPAA itself. Indeed, the State of Ohio has recognized an independent tort for the
“unauthorized, unprivileged disclosure to a third party of nonpublic medical information[.]”
Biddle v. Warren Gen. Hosp., 

, 401, 

(1999), paragraph
6
In Henry, the court noted that the plaintiff’s claims actually appeared to be brought
under HIPAA, which lacks a private right of action. In Shepherd, the plaintiffs admitted
that they did not allege a claim under HIPAA or any tort claims at all. Although HIPAA had
nothing to do with the case, the court recognized in a footnote that it does not create a
private right of action. In Siegler, the court held that no claim could be brought “under
HIPAA” because it lacked a private right of action and that any common law claim would
be barred by the Eleventh Amendment, which is not at issue in the present case. Finally,
in Wood, the plaintiff actually attempted to bring a claim under HIPAA itself. The court
rejected the attempt because “HIPAA does not provide a private cause of action[.]”
Although we do not disagree with any of the foregoing findings, none of them address the
issue before us.
-16-
one of the syllabus. Biddle, however, was decided before HIPAA’s privacy-rule
regulations were published on December 28, 2000 and before its security-rule regulations
took effect on April 21, 2003. Therefore, we must first determine whether Biddle’s
common-law right of action recognized in 1999 survives HIPAA.
{¶ 21} Arguing that HIPAA “does not allow” such a common-law tort claim is
another way of saying that it preempts one. “It is well settled that the Supremacy Clause
of the federal Constitution grants Congress the power to preempt state law.” Leppla v.
Sprintcom, Inc., 

, 2004-Ohio-1309, 

, ¶ 11 (2d
Dist.), citing Minton v. Honda of Am. Mfg., Inc, 

, 68, 

(1997), abrogated on other grounds by Geier v. Am. Honda Motor Co., Inc., 

,

, 

(2000). The Ohio Supreme Court has “recognized three
ways state law can be preempted by the Supremacy Clause: (1) where federal law
expressly preempts state law (express preemption); (2) where federal law has occupied
the entire field (field preemption); or (3) where there is a conflict between federal law and
state law (conflict preemption).” 

12, citing Minton at 69.
{¶ 22} “In the case of field preemption, ‘state law is pre-empted where it regulates
conduct in a field that Congress intended the Federal Government to occupy
exclusively.’ ” 

case of conflict preemption, state law is preempted ‘where it is
impossible for a private party to comply with both state and federal requirements,’ or
‘where state law stands as an obstacle to the accomplishment and execution of the full
purposes and objectives of Congress.’” (Citations omitted). 

HIPAA is a combination of the statute and the regulations adopted under its
authority. The HIPAA statute states that it “shall supersede any contrary provision of State
-17-
law.” 42 U.S.C. § 1320d–7(a)(1); see also 45 C.F.R. § 160.203. But the statute
specifically directs that any regulations shall not supersede state law that is “more
stringent” than the requirements under HIPAA. Section 264(c)(2) of Public Law 104-191.
The regulations provide that state law is “contrary” to HIPAA when (1) it is “impossible to
comply with both the State and Federal requirements;” or (2) “state law stands as an
obstacle to the accomplishment and execution” of the act. 45 C.F.R. § 160.202. The
“more stringent” exception is adopted in 45 C.F.R. § 160.203(b). The regulations also
explain that a state law is “more stringent” than HIPAA if the state law provides greater
privacy protection, provides the patient greater rights of access or access to more
information than HIPAA, or narrows the scope or duration of the use or disclosure of
information HIPAA would allow. 45 C.F.R. § 160.202. Significantly, “State law means a
constitution, statute, regulation, rule, common law, or other State action having the force
and effect of law.” (Emphasis added). 

Upon review, we conclude that HIPAA does not preempt the Ohio
independent tort recognized by the Ohio Supreme Court in Biddle “for the unauthorized,
unprivileged disclosure to a third party of nonpublic medical information that a physician
or hospital has learned within a physician-patient relationship.” Biddle, at paragraph one
of the syllabus. However, we further conclude that federal regulations—as opposed to an
Ohio statute that sets forth a positive and definite standard of care—cannot be used as a
basis for negligence per se under Ohio law. Additionally, in our view utilization of HIPAA
as an ordinary negligence “standard of care” is tantamount to authorizing a prohibited
private right of action for violation of HIPAA itself, and moreover, in specific regard to
plaintiffs’ allegation that monitoring access to medical records was too infrequent, HIPAA
-18-
does not provide a standard of care as to the frequency of review of information-system
activity.
{¶ 25} We determine that a Biddle claim is not preempted because we fail to see
how such a claim conflicts with HIPAA unless the alleged claim asserts recovery for
release of information that HIPAA specifically allows. And although Congress has
provided for enforcement of HIPAA by the Secretary of Health and Human Services, 42
U.S.C.S. §§ 1320d–5, 1320d–6, and more recently, by State Attorneys General, see 42
U.S.C.S. § 1320d–5(d), the allowance of recovery of an individual’s damages does not
interfere with government enforcement. Therefore, we do not find it is impossible to
comply with HIPAA and with state law to the extent we have indicated, and state law is not
an obstacle to the accomplishment of HIPAA’s purposes. We believe a Biddle claim
enhances the protection of confidentiality of medical information.
{¶ 26} Despite our agreement that a cause of action still exists for “unauthorized,
unprivileged disclosure to a third party of nonpublic medical information that a physician
or hospital has learned within a physician-patient relationship,” Biddle, at paragraph one
of the syllabus, plaintiffs have not alleged a set of facts that would entitle them to relief
under Biddle. Initially we note that none of the titles for the causes of action in the
complaint refer to a Biddle-type independent cause of action. The only references to
Biddle in the plaintiffs’ various filings and briefs, both here and in the trial court, are
references to the Biddle case in arguments associated only with the alleged
breach-of-fiduciary-duty claim. In fact, the plaintiffs appear to equate their fiduciary-duty
claim with a Biddle claim, arguing: “KHN breached its fiduciary duty of confidentiality as
set forth in Biddle by disclosing information to unauthorized employees.” (Appellants’ brief
-19-
at 10.) But the plaintiffs’ allegations fall short of raising such a claim. As applied to KHN,
we conclude, and the hospital does not appear to dispute, that Sheldon’s alleged actions
were “unauthorized.” He may have had authority to access any hospital medical record
for a legitimate administrative purpose, but not for personal spying on his former spouse
or his sharing of that information with a co-worker. It likewise appears the allegations in
the complaint are sufficient to conclude that his access and subsequent disclosure were
“unprivileged.” The crux of the issue is whether Sheldon’s alleged acts amount to
“disclosure” by KHN or “disclosure” for which the hospital may be held legally responsible.
We note that the allegations fail to allege that KHN actively or intentionally disclosed
anything.
{¶ 27} Biddle itself dealt with deliberate intentional disclosure of patient
information by a hospital to a law firm to screen patients for SSI eligibility to see if that
source could pay patients’ outstanding hospital bills. The attorneys were to be paid a
contingency for patients where an SSI claim paid the hospital. For “two and one-half
years, the hospital released all of its patient registration forms to the law firm without
obtaining any prior consent or authorization from its patients to do so, and without
prescreening or sorting them in any way.” Biddle at 395. Under any set of circumstances,
pre- or post-HIPAA, with or without reference to HIPAA regulations, the intentional,
unauthorized disclosures in Biddle should be actionable. Accordingly, we conclude that
the independent tort recognized in Biddle is still viable after HIPAA although the
parameters of such a claim may have been impacted by HIPAA preemption.
{¶ 28} We note that recognition of a Biddle claim post-HIPAA presents a
seemingly unsolvable conundrum. In many cases, as here, whether a release of
-20-
information is “unauthorized” will not be in question. However, if the validity of
authorization is disputed, the parties very well might refer to the specific authorization
provisions of the HIPAA privacy rules for guidance. If authorization under Ohio medical
privacy law or rules is more relaxed than HIPAA, then Ohio’s less-stringent authorization
provisions are not effective because they are preempted by HIPAA. But one could argue
that using HIPAA-specific authorization regulations to determine whether release is
“unauthorized” allows for the enforcement of HIPAA regulations, which is arguably
contrary to the overwhelming conclusion that HIPAA does not provide a private right of
action. Because authorization of the release is not in question here, we need not resolve
this problem.
{¶ 29} Although case law delineating the parameters of a Biddle claim is still
developing, the consolidation of other theories of recovery into that recognized tort is
certain. In Biddle, as here, the plaintiffs alleged claims for invasion of privacy, intentional
infliction of emotional distress, and negligence. The Biddle court reasoned: “[A]s to
appellees’ continued insistence that they be entitled to pursue other theories of liability,
we agree with the reasoning of the appellate court that these other theories are either
unavailable, inapplicable because of their respective doctrinal limitations, or subsumed
by the tort of breach of confidence [i.e., a Biddle claim]. Indeed, it is the very awkwardness
of the traditional causes of action that justifies the recognition of the tort for breach of
confidence in the first place.” Biddle at 408-409; see also Norris v. Smart Document
Solutions, LLC, 483 Fed. Appx. 247, 248–49 (6th Cir.2012) (recognizing that a Biddle
claim is “its own independent tort [which] forecloses an argument that [plaintiff’s] action
should be understood as one for the long-recognized tort of wrongful taking of personal
-21-
property” known as conversion). Although breach of fiduciary duty is not mentioned as
subsumed in Biddle, or as foreclosed as in Norris, we determine that the plaintiffs’ alleged
seventh count for breach of fiduciary duty is subsumed along with the other theories,
particularly when appellant contends that “KHN breached its fiduciary duty of
confidentiality as set forth in Biddle by disclosing information to unauthorized employees.”
(Appellants’ Brief at 10).
{¶ 30} In any event, we decline to recognize the plaintiffs’ alleged “Third Count:
Negligence Per Se,” which undoubtedly is “HIPAA based,”7 for three separate reasons.
First, to the extent that HIPAA universally has been held not to authorize a private right of
action, to permit HIPAA regulations to define per se the duty and liability for breach is no
less than a private action to enforce HIPAA, which is precluded. Second, in Chambers v.
St. Mary’s School, 

, 

(1998), the Ohio Supreme Court
held that “[t]he violation of an administrative rule does not constitute negligence per se;
however such a violation may be admissible as evidence of negligence.” 

Therefore, under Ohio case law the HIPAA administrative rules that appellants argue are
applicable cannot be the basis of a negligence per se theory of recovery. Third, critical
allegations in the complaint state that “Epic reports should be run and reviewed on a
consistent and recurring basis, no less than monthly, and preferably weekly, in order to
adequately monitor, ensure and protect the privacy of health information to meet the
HIPAA Risk Analysis and Management Process.” (Complaint at ¶ 8) These allegations
suggest that had KHN audited its records more frequently it would have discovered
7
The negligence per se count of the complaint says only that KHN “violated standards for
protecting electronic health information” without reference to HIPAA or any specific
statute or regulation to support negligence per se. In their brief, the plaintiffs’ argument
makes clear that this claim is referring to “HIPAA requirements.” (Appellant’s Brief at 13).
-22-
Duane Sheldon’s intrusion sooner (although, significantly, after he already had accessed
the plaintiffs’ records at least once). This allegation implies that HIPAA presents some
“standard” for when and how information security audits should be performed. We have
not found any such regulation. We note that 45 C.F.R. § 164.312(b) provides for a
hospital to “[i]mplement hardware, software, and/or procedural mechanisms that record
and examine activity in information systems that contain or use electronic protected
health information.” Another regulation, 45 C.F.R. §164.530(i)(1), provides that “policies
and procedures must be reasonably designed, taking into account the size of and the
type of activities related to protected health information undertaken by the covered entity,
to ensure such compliance.” These regulations are flexibly designed to accommodate the
vast array of medical providers. The regulations do require auditing of record access, but
they do not provide a “standard” for how frequently to do so. In this regard, the regulations
do not set forth “a positive and definite standard of care * * * whereby a jury may
determine whether there has been a violation thereof by finding a single issue of fact.”
Eisenhuth v. Moneyhon, 

, 374, 

(1954). Accordingly, the
regulations at issue are insufficient to support negligence per se liability.
{¶ 31} The remaining question about the trial court’s dismissal of the planitiffs’
“HIPAA-based” claims is whether, based on the alleged facts and reasonable inferences,
it is beyond doubt that the plaintiffs are not entitled to relief on the claim for breach of
confidentiality of medical information. In Scott v. Ohio Dep't of Rehab. & Corr.,
2013-Ohio-4383, 

(10th Dist.), inmates at Madison Correctional
institution, six of whom were HIV positive and the remainder of whom were “chronic care”
patients, alleged that their confidential medical records were released to the general
-23-
prison population. The pharmacy at the prison periodically produced HIV and
chronic-care lists of inmates. Old lists were discarded in pharmacy trash, which was
bagged and placed outside the pharmacy door. An inmate worker would then collect the
trash for deposit in a dumpster in another controlled-access area. Records came into
possession of inmates and eventually became accessible to the general prison
population. The court of claims determined that the circumstances under which the
medical information was disclosed did not meet the elements of Biddle, supra.
{¶ 32} The Tenth District Court of Appeals analyzed the Biddle issue as whether
disclosure must be intentional or willful. Upon review, it stated:
Biddle itself is certainly premised on facts that involved a deliberate
and intentional disclosure, but in creating this new tort under Ohio law, the
Supreme Court relied on some authorities involving negligence fact
patterns. [Citation and summary omitted]. We are therefore unwilling to
accept ODRC’s proposal that “unauthorized” disclosure under Biddle
equates to “intentional” disclosure. Ultimately, however, considering the
matter as one of first impression, we find that under the circumstances
outlined in the facts given above, supervised inmate access to trash
containing unshredded medical documents does not constitute “disclosure”
for purposes of the tort of unauthorized disclosure of medical information as
defined by Biddle. * * *
Without precluding that an inadvertent disclosure might, under
different facts, fulfill the elements of Biddle, the present case does not.
Scott at ¶¶ 29-30.
-24-
{¶ 33} Here, at best, the plaintiffs’ claim against KHN is predicated upon KHN’s
alleged failure to earlier detect Sheldon’s intentional, unauthorized access through
procedures required by HIPAA. Consistent with Scott, we determine that the facts alleged
do not constitute “disclosure” for purposes of a Biddle breach-of-confidentiality claim.
Therefore, we affirm the trial court’s dismissal of the claims albeit as a result of a
somewhat different analysis.
{¶ 34} Despite preemption and the lack of a private right of action, we are aware of
three states that have expressed approval of the use of HIPAA regulations as a standard
of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 

, 

(2014), R. K. v. St. Mary’s Med. Ctr., Inc., 

, 

(W.
Va. 2012), and Acosta v. Byrum, 

, 568, 

(N.C. Ct. App.
2006). However, each is dependent on the nuances of applicable state law, the claims
pursued, and the unique facts presented. In Byrne, the court analyzed state law claims of
negligence and negligent infliction of emotional distress resulting from production of
records in response to a subpoena without notifying the patient which, for non-judicial
subpoenas, is required by HIPAA. The court stated “HIPAA may inform the applicable
standard of care in certain circumstances.” 

We perceive the issue in Byrne to
be more of whether the release was “authorized” not whether the defendant was
responsible for its disclosure. In R.K., plaintiff’s various state negligent, intentional
conduct, and breach of confidentiality claims were asserted without specific HIPAA
labeling against a hospital whose employees accessed plaintiff’s psychiatric records and
disclosed information to his estranged wife. Although reference was made with approval
to other cases which addressed use of HIPAA as a standard of care, the holding was “we
-25-
now hold that common-law tort claims based upon the wrongful disclosure of medical or
personal health information are not preempted by [HIPAA].” 

In Acosta a
physician gave a subordinate his medical access code, which would be contrary to
HIPAA. The subordinate retrieved the plaintiff’s psychiatric records. The plaintiff brought
claims for invasion of privacy and for intentional and negligent infliction of emotional
distress alleging the sharing of the access code violated regulations of “University Health
Systems, Roanoke Chowan Hospital, and [HIPAA].” The Acosta court determined plaintiff
sufficiently pled causes of action separately from the HIPAA violation, although it also
concluded that plaintiff did not bring a HIPAA claim but that HIPAA was only applicable as
“evidence of a the duty of care owed by Dr. Faber.” To the extent that these cases from
other jurisdictions are not binding or that they are distinguishable we choose not to follow
them.
{¶ 35} The first assignment of error is overruled.
{¶ 36} In an alternative argument, KHN maintains that several of the plaintiffs’
claims were subject to dismissal because they were not adequately pled. This argument
pertains to the claims against KHN for invasion of privacy, negligent training, negligent
supervision, and intentional infliction of emotional distress. Although KHN raised this
argument below, the trial court had no occasion to address it upon finding the claims
subject to dismissal on HIPAA-based grounds. Although we have determined that
plaintiffs have failed to state a breach of privacy claim, and that the other claims are
consolidated therein, including perhaps all these claims subject to alternative arguments,
we recognize the import of our holding and therefore address whether the referenced
-26-
causes of action, if separate, were adequately pled to survive Civ.R. 12(B)(6) dismissal.8
{¶ 37} With regard to the claims against KHN for invasion of privacy, negligent
training, negligent supervision, and intentional infliction of emotional distress, KHN
argues:
The common elements among each of these causes of action
require that KHN must have acted intentionally or failed to act with
knowledge of the underlying tortfeasors’ actions. Plaintiffs-Appellants’
Complaint is void of any allegation that KHN acted intentionally to cause
Plaintiffs-Appellants harm or that KHN knew that certain employees were
accessing medical information without authorization and failed to act. As
stated above, Plaintiffs-Appellants’ tort allegations against KHN are based
upon KHN’s alleged failure to run certain “CLARITY” reports with sufficient
frequency. Even assuming that KHN was required to run these reports with
the frequency alleged by Plaintiffs-Appellants and that KHN failed to do so,
that does not demonstrate that KHN acted intentionally nor does it
demonstrate that KHN knew its employees were accessing medical
information without authorization.
(Appellee’s brief at 17).
{¶ 38} Upon review, we agree with KHN that two of the causes of action at issue,
8
Ordinarily, we might be inclined to allow the trial court to address an unresolved issue in
the first instance if we were to remand. We need not do so, however, with regard to KHN’s
argument about the adequacy of the plaintiffs’ pleading. That issue, which was raised by
KHN but not addressed by the trial court below, involves a question of law that we review
de novo. Jones v. Xenia, 2d Dist. Greene No. 2011 CA 27, 2011-Ohio-5545, ¶ 9. That
being so, we see no purpose in remanding for the trial court to opine on the issue.
-27-
namely invasion of privacy and intentional infliction of emotional distress, fail to state a
claim upon which relief can be granted because they do not allege KHN acted
intentionally. The plaintiffs’ brief makes clear that they are alleging “wrongful intrusion”
invasion of privacy. 9 This theory requires proof of an intentional intrusion upon the
solitude or seclusion of another or his private affairs or concerns. King v. Cashland, Inc.,
2d Dist. Montgomery No. 18208, 

, *3 (Sept. 1, 2000); Havens-Tobias v.
Eagle, 2d Dist. Montgomery No. 19562, 2003-Ohio-1561, ¶ 26.10 The plaintiffs’ complaint
alleges no such intentional intrusion on the part of KHN. Rather, it alleges that KHN
negligently failed to protect the privacy of the plaintiffs’ electronic medical information by
not taking reasonable steps to protect the information by running and monitoring
CLARITY reports. Although the complaint does allege intentional intrusions by defendant
Duane Sheldon, we determined above that the nature of his conduct precludes
respondeat-superior liability.
{¶ 39} We reach the same conclusion with regard to intentional infliction of
emotional distress, which requires a showing that the actor intended to cause emotional
distress or knew, or should have known, that his actions would result in severe emotional
9
The Ohio Supreme Court has recognized four types of invasion-of-privacy claims: (1)
unwarranted appropriation or exploitation of one’s personality, (2) publicizing of one’s
private affairs, (3) wrongful intrusion into one’s private activities, and (4) false-light
invasion of privacy. Welling v. Weinfeld, 

, 2007-Ohio-2451, 

.
10
We recognize that in Prince v. St. Francis-St. George Hosp., Inc., 

,

(1st Dist.1985), the First District opined that invasion of privacy may be
supported by negligent as well as intentional acts where a physician improperly mailed a
medical-claim form containing a confidential diagnosis for Mrs. Prince to a co-worker of
her husband. Invasion of privacy could exist “whether [the physician’s] potential ultimate
liability is predicated on his intentional acts (preparing and mailing the telltale material), or
upon the negligence of those acts.” 

                                                                                             -28-
distress. Ratcliff v. Seitz, 2d Dist. Miami No. 2014-CA-9, 2014-Ohio-4412, ¶ 47 (citing
cases). Here we fail to see how the plaintiffs can prove a set of facts establishing KHN’s
intentional infliction of emotional distress based on KHN’s allegedly negligent failure to
run and monitor CLARITY reports. Once again, although Duane Sheldon allegedly acted
intentionally, the facts in the complaint do not support respondeat-superior liability.
{¶ 40} The trial court also did not err in refusing to allow the plaintiffs to amend their
complaint concerning their claims for invasion of privacy and intentional infliction of
emotional distress. If these claims are subsumed into the breach of confidentiality claim,
as we have held, then amendment would not change their consolidation and would not
change viability. Moreover, having reviewed the plaintiffs’ proposed amended complaint,
we note that it did not remedy the lack of allegedly intentional misconduct on the part of
KHN. Therefore, the proposed amendment would have been futile with respect to the
claims for invasion of privacy and intentional infliction of emotional distress. See Cruz v.
Kettering Health Network, 2d Dist. Montgomery No. 24465, 2012-Ohio-24, ¶ 34
(recognizing that leave to amend a complaint may be denied when the proposed
amendment would be futile).
{¶ 41} We reach a similar result concerning the plaintiffs’ claims for negligent
training and negligent supervision. The elements of a negligent supervision claim
essentially are the same as those required to prove negligent hiring. Browning v. Ohio
State Hwy. Patrol, 

, 2003-Ohio-1108, 

, ¶ 67 (10th
Dist.). Likewise, other courts have recognized that the elements of negligent training are
also the same. Ford v. Brooks, 10th Dist. Franklin No. 11AP-664, 2012-Ohio-943, ¶ 22,
citing Jarvis v. Securitas Sec. Servs. USA, Inc., D.Md. No. 11–cv–00654–AW (Feb. 16,
-29-
2012). They are: “(1) the existence of an employment relationship; (2) the employee’s
incompetence; (3) the employer’s actual or constructive knowledge of such
incompetence; (4) the employee’s act or omission causing the plaintiff’s injuries; and (5)
the employer’s negligence in hiring or retaining [or training or supervising] the employee
as the proximate cause of plaintiff’s injuries.” Evans v. Ohio State Univ., 

, 739, 

(10th Dist. 1996).
{¶ 42} KHN correctly notes that these claims require proof that it had actual or
constructive knowledge of Duane Sheldon’s incompetent behavior. The relevant behavior
here involved his allegedly unauthorized and improper accessing and sharing of the
plaintiffs’ electronic health information. Nothing in the complaint suggests that KHN had
actual knowledge of this behavior. The complaint alleges the manner in which KHN could
be deemed to have constructive knowledge of Sheldon’s access and that is to monitor the
EPIC system CLARITY reports to comply with HIPAA security rules. We agree with the
trial court that the manner alleged in the complaint for KHN to have discovered Sheldon’s
unauthorized access is definitively HIPAA-based. Because we believe allowing such a
claim to proceed effectively would allow a private action for damages predicated on
HIPAA requirements, recovery based on that part of the complaint is prohibited. We have
not found, and the plaintiffs have not cited, an Ohio case supporting a cause of action
based on negligent failure to follow HIPAA regulations. We conclude that the trial court
correctly dismissed these claims.
{¶ 43} We again acknowledge that the plaintiffs moved to amend their complaint,
but the proposed amendments would not have cured the fatal deficiencies. The proposed
amended complaint retained virtually every allegation found in the original, including the
-30-
allegations that KHN was negligent in failing adequately to monitor the CLARITY reports
from the EPIC system as required by HIPAA. The only proposed changes of substance
that could relate to the negligent training or supervision claims are the addition of the
following allegations:
9. Although it is not mandated that the EPIC system be used by any
controlling authority, it is clear that the standard of care established by
HIPAA is that a health entity must take reasonable and prudent steps to
safeguard patient information.
10. Complete and apart from any standard of care, KHN has a common law
duty to safeguard patient confidential health information.
***
12. Defendant KHN, complete and apart from its duty of care established by
HIPAA, failed to take reasonable care to safeguard patient health
information.
***
49. In asserting the above common law claims, Plaintiffs disclaim any
attempt at enforcing “HIPAA”. They do not seek civil or criminal penalties
against KHN for “HIPAA violations”; rather they seek common law remedies
to themselves for damages, as contained in the prayer for relief.
{¶ 44} Paragraphs 9 and 10 allege only the existence of a common-law duty to
protect patient health information. That is not in dispute. Paragraph 12 merely alleges, in
conclusory fashion, that KHN was negligent. But the only factual allegations to support
that bare conclusion are all the factual allegations about Duane Sheldon’s intrusion and
-31-
the HIPAA-induced monitoring KHN allegedly should have done to detect his access.
Those factual assertions remain intact in the proposed amended complaint. Finally,
paragraph 49 is no more than an attempt by the plaintiffs to distance themselves from
what they now recognize is a prohibited HIPAA claim when the bulk of their factual
assertions—most importantly with regard to the HIPAA obligations related to monitoring
the EPIC CLARITY reports to discover Sheldon’s intrusion—remain unchanged. We
reiterate that the proposed amended complaint would not cure the infirmities we have
addressed.
{¶ 45} Based on the reasoning set forth above the assignments of error are
overruled and the trial court’s judgment is affirmed.
.............
DONOVAN, J., and WELBAUM, J., concur.
Copies mailed to:
Robert F. Croskery
Doreen Canton
Evan T. Priestle
J. Steven Justice
Glen McMurry
Hon. Timothy N. O’Connell