A healthy doctor-patient relationship must be based on complete trust and candor. If patients don’t have complete faith that their disclosures will remain confidential, they are less likely to reveal information that might prove vital to their treatment.
A doctor who breaks the bond of nondisclosure may be held liable under certain circumstances. Medical professionals can and have been sued for breaking this faith. But if you’re not a doctor or a patient, this issue doesn’t have an impact on your business. Or does it?
Assisting or inducing someone to break the law is illegal, and this third party liability can be applied to a breach of doctor-patient confidentiality.
In 1965, an Ohio court held a third party liable for inducing a breach. In Hammonds v. Aetna Casualty & Surety Co., the court found liable an insurance company that had induced a physician to reveal confidential medical information about a patient. An Ohio district court expanded the confidentiality issue by holding an employer liable for inducing the disclosure of medical information regarding an employee.
At that point, knowledge of patients’ rights of privacy became an issue for all employers.
Defining liability
An employer can be liable for breach of confidentiality even if the breach is accidental. Revealing medical information to spouses or other family members can be illegal, even if no harm is intended.
Even a wavier or release won’t always provide full protection for the employer; often, the forms lack the required legal elements.
How do employers run afoul of the rules regarding medical confidentiality? Typically, problems arise from routine situations. For example, let’s say your HR staff contacts a physician for a list of an employee’s prescriptions. The reason may be perfectly innocent.
But that doctor should not, without the patient’s explicit consent, give that information to anyone, and the employer can be held liable for inducing the information without consent.
Or suppose the employer has a policy of drug testing and a staffer learns the employee is taking an antidepressant and mentions this to someone. You, as the employer, could be held liable for the breach of confidentiality or the inducement of another party’s breach.
Liability can arise even if you have no physician-patient relationship with the individual whose information has been revealed. Worse, liability is not limited to actions by management; virtually any member of your work force can make a mistake that can result in a judgment against your company.
Preventive measures
Strict procedures and staff training can alleviate potential problems. The best solution is simple: No information about a person’s medical history should be shared without an explicit written release specific to the particular disclosure.
Always verify any information you share is covered by the language in the release, which should clearly indicate what information is requested, with whom it will be shared and for what reason.
Store records securely. Keep this type of information securely locked away, and train your staff regarding disclosure procedures and the liability that can be incurred when records are handled improperly.
Start with a seminar led by an attorney to train executives and HR staff about preventive techniques and legal ramifications. They can then train other employees and new hires.
If questionable situations or problems occur, seek an attorney’s advice to attempt to avoid liability. The small amount invested in preventive measures could save an exorbitant amount later.
If everyone understands the importance of keeping medical information private, your business will go a long way toward avoiding painful complications and side effects. Jacklyn J. Ford is a partner with Vorys, Sater, Seymour and Pease LLP, where she practices in the field of labor and employment law with an additional practice in health care systems, behavioral health and privacy. Kimberly L. Rathbone is an associate in the Cleveland office of the firm, where she practices in the litigation group. They can be reached at www.vssp.com.
