A hospital employee, who has been “HIPAA-trained” and admits to knowing better, accesses his ex-wife’s new boyfriend’s medical records and posts sensitive information on social media.  Is the hospital liable for the employee’s actions?

First, assume that the hospital did nothing wrong.  That requires the assumption that the employee was adequately trained, that the employee’s job required that he have access to this data, and that there was no way to otherwise limit the employee’s access.

Based on the above, the hospital should not be liable.  The law regarding an employer’s liability for the intentional acts of an employee is clear: “An employer is not vicariously liable merely because his employee commits an intentional tort on the business premises during working hours. Vicarious liability will attach in such a case only if the employee is acting within the ambit of his assigned duties and also in furtherance of his employer’s objective.” Honor v. Tangipahoa Parish Sch. Bd., 2013-0298 (La. App. 1 Cir. 11/1/13), 136 So. 3d 31, 36, reh’g denied (Dec. 5, 2013), writ denied, 2014-0008 (La. 2/28/14), 134 So. 3d 1181; see also Baumeister v. Plunkett, 95-2270 (La. 5/21/96), 673 So. 2d 994, 996; Barto v. Franchise Enterprises, Inc., 588 So. 2d 1353, 1356 (La. App. 2 Cir. 1991);  Craft v. Wal-Mart Stores, Inc., 2001-564 (La. App. 3 Cir. 10/31/01), 799 So. 2d 1211, 1214.  An employer should not be held liable for any alleged criminal actions of an employee motivated by “purely personal considerations extraneous to the employer’s interest.” Angle v. Dow, 08-224 (La. App. 5 Cir. 8/19/08), 994 So. 2d 46, 50. Any intentional activities of a hospital employee that were not within their job description, such as criminal activity, and would not further the goals of the hospital, cannot be attributed to the hospital.

Therefore, any HIPAA violation intentionally committed by an employee of a hospital should not be attributed to the hospital. Accessing and disclosing PHI in violation of HIPAA is a crime, and thus would not be in the course and scope of the employee at the hospital nor would it benefit the hospital.

Written by: Greg Frost