[BreachExchange] Ex-hospital employee’s unauthorized access to patient info leaves genuine questions of fact, COA rules

[Terrell Byrd]

https://www.theindianalawyer.com/articles/ex-hospital-employees-unauthorized-access-to-patient-info-leaves-genuine-questions-of-fact-coa-rules


A hospital group and its former employee at odds over her unauthorized
access of confidential patient records aren’t quite finished with their
legal battle, the Court of Appeals of Indiana ruled Wednesday.

For nearly two years, former Franciscan Alliance employee Christina A.
Padgett accessed a specific patient’s confidential protected health
information in violation of a workforce confidentiality agreement. Padgett
accessed the confidential patient information between October 2012 and
April 2014 in order to learn “when the patient would be at Padgett’s
workplace so that Padgett could avoid the patient’s alleged harassment” of
her.

In 2018, four years after Padgett had resigned, the state of Indiana filed
a lawsuit in federal court against Franciscan for its alleged violations of
the Health Insurance Portability and Accountability Act of 1996, or HIPAA.

The state alleged Franciscan had inadequate procedures in place to protect
patients’ PHI relating to information access monitoring, responses to
security incidents and termination of unauthorized access to patient
information. It further alleged that Franciscan failed to retain written
records of its policies and procedures as required under HIPAA, and that it
had not updated its policies in a timely manner. Finally, the state argued
that Padgett accessed the information when it wasn’t required for her work
and that Franciscan didn’t know about it until after the patient
complained, yet still did nothing to end it before Padgett resigned.

Franciscan and the state settled in August 2018, with Franciscan agreeing
to pay $80,000 and to comply with specified HIPAA regulations regarding
Franciscan’s policies and procedures, including implementing policies and
procedures relating to information access monitoring and responses to
security incidents.

The next month, Franciscan sued Padgett for breach of contract, breach of
fiduciary duty, negligence and indemnification claims. It sought an order
that Padgett pay the $80,000 Franciscan had paid to settle the HIPAA
lawsuit.

The Marion Superior Court denied Franciscan’s summary judgment motion and
granted Padgett’s summary judgment motion on all of Franciscan’s claims.
However, it did deny Padgett’s motion for summary judgment on her
counterclaim that Franciscan brought an allegedly frivolous lawsuit and
entered judgment for Franciscan on that claim.

The Court of Appeals of Indiana partially affirmed and reversed in
Franciscan Alliance, Inc. v. Christina A. Padgett, 21A-PL-1738, finding
first that the trial court erred in granting Padgett summary judgment and
denying it to Franciscan on the issue of  timeliness. The COA held that
Franciscan’s claims did not accrue and that the statute of limitations did
not begin to run until August 2018, at the earliest.

“Even assuming, arguendo, the existence of a contract and the existence of
a duty owed by Padgett to Franciscan, summary judgment is not appropriate
because there are genuine issues of material fact regarding whether Padgett
breached the contract and/or her common law duty,” Judge L. Mark Bailey
wrote for the COA.

“The Agreement between Padgett and Franciscan states that Padgett will
access confidential information only for ‘legitimate business purposes.’
However, neither the document itself nor any of the designated evidence
establish the meaning of that term,” Bailey continued.

The appellate court also concluded that neither party designated evidence
establishing whether Padgett was authorized to access the confidential
patient information at issue or, if not, whether her unauthorized actions
caused the damages Franciscan incurred in the state’s HIPAA lawsuit against
it.

“Therefore, as to Franciscan’s contract, tort, and indemnification claims,
we affirm denial of summary judgment for Franciscan, reverse summary
judgment in favor of Padgett, and remand for further proceedings consistent
with this decision,” the court concluded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211209/78cc9330/attachment.html>