Sheldon v. Kettering Health Network
40 N.E.3d 661
Ohio Ct. App.2015Background
- Plaintiffs Vicki Sheldon and Haley Dercola sued Kettering Health Network (KHN) after a KHN administrator, Duane Sheldon, allegedly accessed and shared plaintiffs’ electronic health records without authorization over a 15‑month period. Plaintiffs also alleged KHN failed to run/monitor EPIC/CLARITY audit reports that would have detected the breaches.
- Claims against KHN included invasion of privacy, negligence, negligence per se, negligent training and supervision, intentional infliction of emotional distress, and breach of fiduciary duty. Plaintiffs sought to rely on HIPAA/HITECH standards (and EPIC monitoring practices) as the basis for duties.
- KHN moved to dismiss under Civ.R. 12(B)(6), arguing plaintiffs’ claims were effectively attempts to enforce HIPAA (which provides no private right of action) and that several tort counts were inadequately pleaded. The trial court dismissed the complaint; plaintiffs appealed.
- The appellate court construed the complaint as alleging two theories: (1) intentional, personal misconduct by Duane Sheldon in accessing/sharing records; and (2) KHN’s own negligence/failure to detect those breaches by not following HIPAA‑related auditing practices.
- The court held Sheldon’s alleged conduct was personal, not within the scope of employment, so respondeat superior liability against KHN for his intentional acts could not survive dismissal. The court also held many claims failed because they depended on enforcing HIPAA or on HIPAA regulations as negligence per se standards, which is impermissible.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether HIPAA precludes common‑law tort claims for wrongful disclosure of medical information | Sheldon/Dercola: HIPAA does not preclude common‑law claims; HIPAA can inform the standard of care but plaintiffs assert independent torts | KHN: Plaintiffs are trying to circumvent the absence of a private HIPAA cause of action by relabeling HIPAA violations as torts | Court: HIPAA does not preempt Ohio’s Biddle tort generally, but plaintiffs’ claims here largely attempted to enforce HIPAA and thus those HIPAA‑based theories were not actionable |
| Whether KHN can be vicariously liable (respondeat superior) for Duane Sheldon’s intentional access/sharing | Plaintiffs: Sheldon was a high‑level admin and his record access was within scope of duties | KHN: Sheldon’s access was unauthorized, personal, and not intended to serve employer | Court: Sheldon’s intentional acts furthers a personal affair and are outside scope of employment; respondeat superior fails as a matter of law |
| Whether HIPAA/regulations may establish negligence per se or a definitive standard of care for audit frequency | Plaintiffs: HIPAA/EPIC auditing requirements (weekly/monthly) establish KHN’s duty and breach | KHN: HIPAA provides no private cause of action and its flexible regulations cannot create negligence per se | Court: HIPAA regulations do not create negligence per se under Ohio law and do not prescribe a definitive auditing frequency; using them as per se standards would amount to an impermissible private enforcement of HIPAA |
| Whether invasion of privacy, intentional infliction of emotional distress, negligent training/supervision claims were sufficiently pled against KHN | Plaintiffs: KHN’s failure to run/monitor reports constituted actionable intrusion, negligence, and caused distress | KHN: Complaint lacks allegations KHN acted intentionally or had actual/constructive knowledge of wrongdoing; allegations rest on HIPAA‑based monitoring obligations | Court: Invasion of privacy (wrongful intrusion) and intentional infliction of emotional distress require intentional conduct by defendant and fail as pleaded; negligent training/supervision fail because allegations rest on HIPAA‑based constructive‑knowledge theory and are insufficient |
Key Cases Cited
- Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395 (1999) (recognizes independent tort for unauthorized, unprivileged disclosure of nonpublic medical information)
- Byrd v. Faber, 57 Ohio St.3d 56 (1991) (respondeat superior does not apply where employee’s intentional torts are personal and not to serve employer)
- Chambers v. St. Mary's School, 82 Ohio St.3d 563 (1998) (violation of administrative rule is not negligence per se but may be evidence of negligence)
- Acara v. Banks, 470 F.3d 569 (5th Cir.) (HIPAA does not create a private right of action)