Profession
Punitive damages ruled OK for privacy breach
■ The New York decision says the extra penalty is needed to prevent future violations.
By Amy Lynn Sorrel — Posted Dec. 17, 2007
- WITH THIS STORY:
- » Case at a glance
- » Related content
A New York appeals court ruling affirms that patients' privacy rights are paramount and makes it clear that the stakes for violating confidentiality could be high.
In a 3-2 decision, the Supreme Court of New York, the state's appellate level, allowed a patient to recover punitive damages from a surgical clinic for a privacy breach.
The patient had an abortion at Long Island Surgi-Center in 1999 and verbally instructed the staff to contact her on her cell phone because she did not want her parents to know about it, court records show. But after the procedure, a nurse called the patient's home to check on her and spoke with her mother. The nurse didn't mention the abortion but shared enough information for the mother to surmise what occurred.
Judges acknowledged that the breach didn't appear intentional but found enough evidence that the facility's conduct could be considered grossly negligent -- a standard sufficient to warrant punitive damages.
"There was no justification whatsoever offered for the remarkably casual way in which the center handled the plaintiff's sensitive medical information, and the need to deter other medical providers from engaging in similar conduct could hardly be clearer," the Sept. 25 opinion states.
Like every state, New York has a law to protect an individual's right to keep medical records and treatment confidential, the court said.
"As a result, when a state-licensed entity breaches that right -- and especially when it does so in connection with a particularly sensitive medical procedure -- more may be involved than simply a private wrong," the majority wrote.
A jury originally awarded the plaintiff $300,000 in punitive damages, on top of $65,000 for emotional distress. But the appeals court ordered a new trial because Long Island Surgi-Center was prevented from arguing that the disclosure was an isolated event. Judges said that could factor into the punitive award.
A new trial holds uncertainty for the plaintiff in that it could mean smaller or no punitive damages, or even a finding for the defendants. She is asking the court to reconsider that part of its decision.
Doctors generally are cautious about releasing patient information, and the ruling sends a strong message reinforcing that confidentiality, said James C. Pyles, a health lawyer and medical privacy expert with Washington, D.C.-based Powers Pyles Sutter & Verville PC.
"Clearly the court intended this to be a signal and a warning to the medical community ... that the patient's right to privacy must be recognized and protected."
Pyles said courts can require a showing of either bad faith or recklessness when considering punitive damages. But the overall purpose, he noted, is to prevent future bad conduct, and that's the approach the court took in this case.
In a way, Pyles said, the ruling could help doctors at a time when they "are under siege from various [third-party] groups to disclose patient information, even when standards of medical ethics and laws say they can't." Physicians could point to the opinion to explain their decisions not to share private patient data.
A single incident, defense says
Long Island Surgi-Center argues that the breach was an honest mistake, and it shouldn't face an excessive fine in the absence of deliberate harm. Nothing like it ever happened before, said Barbara D. Goldberg, the facility's attorney. She said the court adopted a broad interpretation of when punitive damages are allowed, and this ultimately could harm patient care.
"In a situation where a doctor or clinic has to get in touch with a patient over concerns with a medical condition, they may be afraid to speak to anyone else, even if they have a legitimate reason for doing so," Goldberg said.
The clinic staff was concerned that the patient might have a complication, and this prompted the call home the day after the abortion, according to court documents. It turned out that the patient did not have complications, Goldberg said. Nurses were unaware that the patient already had called in for some pending blood test results because it wasn't noted in her chart.
Using the only phone number printed on labels affixed throughout the patient's record, a nurse called the patient at home. Her cell phone and work numbers also were in the chart on a medical history form. There, her home number was crossed out by hand, though without a notation indicating not to call her there.
The appeals court emphasized that Long Island Surgi-Center had no clear written plan for protecting patients' privacy rights, and the staff had conflicting and confusing documentation of such requests. The center did not have a special form to record the patient's instructions. Some nurses testified that they would write "do not call" next to a number, while others said they would cross the number out.
John J. Guadagno, the patient's attorney, said punitive damages are appropriate in this situation despite the lack of bad faith. "When you set up policies recklessly and inconsistently, you create the situation with my client."
Two judges disagreed with the ruling. Despite the staff's lack of proper training, "this is not a situation in which a health facility flagrantly disregarded the rights of its patients by having no policy in place," they wrote.
The dissenting opinion said other mechanisms exist to deter privacy violations, making punitive fines unnecessary. For example, New York's Health Dept. investigated the breach in this case and required the surgery center to devise a corrective plan.
HIPAA is also a deterrent, Goldberg said.
Health lawyer Pyles said that as long as doctors and medical facilities have trained staff and well-defined privacy procedures that meet state and federal privacy standards, "even if they make a mistake, you are not likely to face punitive damages." That is because a court is not likely to consider the breach grossly negligent.
But he warned: "The more personal or sensitive the information and clearer it is that it shouldn't be disclosed, the higher the accountability."