The situation is different, of course, when a physician or other licensed provider breaches the fiduciary duty of patient confidentiality; then the patient may have direct recourse against the provider for breach of the provider’s professional duties. Frequently, however, it is not the licensed provider that breaches patient confidentiality, but an unlicensed employee of a hospital or medical practice that makes an unauthorized disclosure of health information. In that case, the patient’s recourse is limited to seeking damages from the hospital or medical practice under the legal doctrine of respondeat superior, that is, an employer’s liability for the foreseeable actions of an employee acting within the scope of employment.
Suing a hospital or medical practice for an employee privacy breach is of limited usefulness in many cases, however, because often the employee’s actions are not foreseeable or the employee is not acting within the scope of his or her employment. Such a finding will usually defeat a patient’s claim against the employer hospital or medical practice for the employee’s actions.
As is frequently the case in health law, however, all of that may be about to change, and if it does, hospitals and medical practices may be exposed to a significant new area of direct liability.
Doe v. Guthrie Clinic, Ltd.  is a case pending in the U.S. Court of Appeals, Second Circuit (New York, Connecticut and Vermont), which is considering whether to adopt a significant expansion of direct liability for hospitals and medical practices that, if approved, would open the door for patients in other states to seek damages under the same theory. I’ll explain the Guthrie case in an upcoming post and discuss what providers should be doing now to shield themselves from this direct liability.
Clay B. Wortham
McBrayer, McGinnis, Leslie & Kirkland, PLLC
 Doe v. Guthrie Clinic Ltd., 12-1045-cv (2nd Cir. 2013).