Case Information
*1
[Cite as
Sheldon v. Kettering Health Network
,
IN THE COURT OF APPEALS OF OHIO SECOND APPELLATE DISTRICT MONTGOMERY COUNTY
VICKI SHELDON, et al. :
: Appellate Case No. 26432 Plaintiff-Appellants :
: Trial Court Case No. 14-CV-3304 v. :
: (Civil Appeal from KETTERING HEALTH : Common Pleas Court) NETWORK, et al. :
:
Defendants-Appellees :
. . . . . . . . . . .
O P I N I O N
Rendered on the 14th day of August, 2015.
. . . . . . . . . . .
ROBERT F. CROSKERY, Atty. Reg. No. 0064802, Croskery Law Offices, 810 Sycamore Street, 2 nd Floor, Cincinnati, Ohio 45202
Attorney for Plaintiffs-Appellants, Vicki Sheldon, T.D., and Haley Dercola DOREEN CANTON, Atty. Reg. No. 0040394, and EVAN T. PRIESTLE, Atty. Reg. No. 0089889, Taft Stettinius & Hollister LLP, 425 Walnut Street, Suite 1800, Cincinnati, Ohio 45202-3957
Attorneys for Defendant-Appellee, Kettering Adventist Healthcare J. STEVEN JUSTICE, Atty. Reg. No. 0063719, and GLEN McMURRY, Atty. Reg. No. 82600, 210 West Main Street, Troy, Ohio 45373
Attorneys for Defendant-Appellee, Duane Sheldon
. . . . . . . . . . . . .
HALL, J. Plaintiffs-appellants Vicki Sheldon and Haley Dercola appeal from the trial
court’s Civ.R. 12(B)(6) dismissal of their complaint against defendant-appellee Kettering Adventist Healthcare d/b/a Kettering Health Network (“KHN”). [1] The complaint alleged common-law tort claims for invasion of privacy, negligence, negligence per se, negligent training, negligent supervision, intentional infliction of emotional distress, and breach of fiduciary duty. [2] The claims stemmed from KHN’s alleged failure to protect the privacy of the plaintiffs’ electronic medical information and the improper accessing and disclosure of that information by KHN administrator Duane Sheldon, the former spouse of Vicki Sheldon. KHN responded to the complaint by seeking dismissal under Civ.R. 12(B)(6).
In support, KHN argued that each of the tort claims was based on alleged violations of the federal Health Insurance Portability and Accountability Act (“HIPAA”). KHN noted that HIPAA did not provide a private right of action to enforce its terms. Therefore, KHN reasoned that the plaintiffs could not assert common-law tort claims essentially alleging HIPAA violations. KHN argued that the “[p]laintiffs should not be permitted to circumvent the bar on private enforcement of HIPAA violations by merely masking alleged HIPAA violations as common-law torts.” (Doc. #14 at 9). Alternatively, KHN argued that the plaintiffs had failed to plead facts establishing the elements for their alleged claims for invasion of privacy, negligent training, negligent supervision, and intentional infliction of emotional distress. The plaintiffs responded by arguing, among other things, that nothing prohibited them from “pursuing common law claims based on violations of their privacy just because such claims overlap with HIPAA violations.” (Doc. #18 at 2). They also asserted that their tort claims had been pled sufficiently. ( Id . at 8-13). The plaintiffs additionally moved for leave to file a first amended complaint, seeking to clarify that they were alleging tortious conduct apart from HIPAA. (Doc. #27). The trial court sustained KHN’s Civ.R. 12(B)(6) motion in an October 21,
2014 decision and entry. (Doc. #32). After reviewing the plaintiffs’ complaint, the trial court concluded that each of their tort claims was based on an alleged HIPAA violation. Because HIPAA does not provide a private right of action, the trial court concluded that the plaintiffs could not state a claim for relief. ( Id .). The decision did not address KMH’s alternative arguments to dismiss some of plaintiff’s claims. The trial court’s ruling also did not explicitly address the plaintiffs’ motion for leave to amend their complaint. The trial court subsequently dismissed that motion, as moot, based on its sustaining of KHN’s Civ.R. 12(B)(6) motion. In their first assignment of error, the plaintiffs contend the trial court erred in
dismissing their common-law claims against KHN. While conceding that HIPAA itself does not provide a private right of action to enforce its terms, the plaintiffs insist that the statute also does not preclude their common-law tort claims, which, they argue, point to HIPAA and other sources for a standard of care. In response, KHN argues, as it did below, that the plaintiffs cannot maintain common-law tort claims based on, and resulting from, alleged HIPAA violations. In a second assignment of error, the plaintiffs contend the trial court erred in not allowing them to amend their complaint to make clear that they were not seeking recovery under HIPAA and that they were relying on the statute, at most, to establish a standard of care. We begin our review with the standards applicable to a Civ.R. 12(B)(6)
motion. A motion to dismiss a complaint for failure to state a claim upon which relief can
be granted, pursuant to Civ.R.12(B)(6), tests the sufficiency of a complaint. For a
defendant to prevail, it must appear beyond doubt from the complaint that the plaintiff can
prove no set of facts entitling him to relief. O’Brien v. University Community Tenants
Union, Inc .,
contains the following factual allegations:
6. Defendant KHN uses a system of software for storing, maintaining, accessing, and protecting electronic medical information. The system is known as “EPIC.” When properly used, the system protects medical information from being accessed by unapproved personnel to comply with the federal law Health Insurance Portability and Accountability Act, otherwise known as “HIPAA.”
7. The “EPIC” System uses reports to ensure that electronic medical information is safely protected and remains private. Through a series of reports, known as “CLARITY” reports, the hospital or authorized medical information custodian has the ability to ensure that records are not being improperly accessed through, but not limited to, the following reports: * * * [The complaint lists numerous different types of reports that allegedly can be produced to help detect possible security or privacy breaches]. The cumulative effect of the regular running and monitoring of these Epic Clarity reports is to detect and deter improper access. When routinely run and monitored, the Epic Clarity reports provide early detection of privacy breaches of EHRs.
8. Under the HIPAA Security Rule, a covered entity must identify and analyze potential risks to electronic private health information, and it must implement security measures that reduce risks and vulnerabilities to a reasonable level. Epic reports should be run and reviewed on a consistent and recurring basis, no less than monthly, and preferably weekly, in order to adequately monitor, ensure and protect the privacy of health information to meet the HIPAA Risk Analysis and Management Process. When used properly and effectively, EPIC Software and CLARITY Reports provide auditing and monitoring protection for electronic health information.
9. Defendant D. SHELDON, an administrator for KPN under the KHN, had access to the EPIC system but was not authorized to access the health records of the Plaintiffs. Defendant D. Sheldon improperly accessed the health records of Plaintiffs on multiple occasions over a period of at least 15 months, as Defendant KHN failed to take reasonable steps under EPIC and CLARITY to detect his unauthorized access or otherwise to protect such information.
10. Duane Sheldon, as administrator, commenced at least one extramarital affair with certain others in the Kettering Health Network. In order to enhance his affair, Duane Sheldon improperly accessed extremely sensitive medical information belonging to Vicki Sheldon, and shared such information with his paramour, who is an employee of KPN who reported to D. Sheldon.
11. In addition, upon information and belief, Duane Sheldon and other parties in his department created one or more fictitious names that do not represent real parties or real users of health information to improperly access protected health information.
12. These fictitious names accessed Plaintiffs’ protected health information. 13. In addition, there were significant other breach incidents by D. SHELDON and his accomplices of Vicki Sheldon’s protected health information, and also to the protected health information of H. DERCOLA and [T.D.].
14. The breach of such information would have been prevented (or greatly minimized) had Defendant KHN been taking the reasonable and normal steps to protect Plaintiff’s health information by running weekly or at least monthly EPIC CLARITY reports, and monitoring those reports.
15. Defendant KHN eventually revealed to Plaintiffs that there had been multiple breaches of their private and protected health information, in violation of the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) however, when Plaintiffs requested proper information from the “EPIC” and “CLARITY” reports to examine the nature of the actual breaches, KHN refused to provide them. In fact, Plaintiffs, through counsel, on multiple occasions asked for copies of the “EPIC” reports, by name, that would have shown the exact nature of the privacy breaches, and Defendant refused to provide them and/or stated that such reports did not exist.
16. Instead, Defendant Kettering Health Network provided a “Homegrown” Report (a report designed by KHN employees to control what information to provide) that is inadequate, and then proceeded to provide false and malicious information regarding the parties that are listed on the “Homegrown” Report.
(Doc. #1 at 2-5). [3] In short, paragraphs six through eight provide background factual
information about KHN’s use of the EPIC system and CLARITY reports to comply with HIPAA’s security rule regarding the protection of electronic health information and the detection of breaches. Paragraph nine alleges that KHN administrator Duane Sheldon gained unauthorized access to plaintiffs’ health records due to KHN’s failure to take reasonable steps, under EPIC and CLARITY, to protect the information or detect his actions. Paragraph ten alleges that the information he “improperly accessed” was shared with a subordinate KHN employee with whom he was having an affair. Paragraphs eleven and twelve allege that he and others created “fictitious names that do not represent real parties,” which were used to improperly access health information. Paragraph thirteen alleges other breaches of plaintiffs’ health information by Duane Sheldon. Paragraph fourteen alleges that the breaches would have been prevented or minimized if KHN had taken reasonable steps to protect the information by running and monitoring CLARITY reports. Paragraph fifteen alleges that KHN eventually disclosed the breaches to the plaintiffs but refused to provide them with pertinent CLARITY reports. Paragraph fifteen also mentions “the HITECH Act,” which amended HIPAA in 2009. Paragraph sixteen alleges that KHN provided the plaintiffs with a different, inadequate report prepared by KHN employees that contained false and malicious information. We discern at least two types of tortious activity alleged by the plaintiffs: (1)
Duane Sheldon’s intentional improper accessing and sharing of their health information and (2) KHN’s alleged failure to take reasonable steps to protect that information and to detect Duane Sheldon’s breaches. We note that the factual allegations about Duane Sheldon’s conduct do not necessarily appear to depend on an alleged HIPAA violation. The statute is invoked only in connection with the plaintiffs’ factual allegations about KHN failing to take reasonable steps to protect their health information and to detect his breaches. In particular, the plaintiffs allege that KHN failed to regularly run and monitor CLARITY reports, which they allege was required by HIPAA. Based on the foregoing allegations, the plaintiffs argue they asserted
common-law causes of action against Duane Sheldon individually for invasion of privacy, negligence, intentional infliction of emotional distress, and breach of fiduciary duty. We agree with the trial court that the complaint fairly can be read as alleging common-law claims against Duane Sheldon for improperly accessing and sharing the plaintiffs’ health information, regardless of HIPAA’s prohibition to the contrary. The trial court reached the same conclusion in an October 21, 2014 decision and entry denying Duane Sheldon’s Civ.R. 12(B)(6) motion to dismiss. [4] (Doc. #34). An important issue for purposes of KHN’s appeal is whether the plaintiffs
are seeking to hold KHN liable on a respondeat-superior basis for Duane Sheldon’s allegedly tortious actions. Although the original complaint is perhaps unclear, the plaintiffs clarified the uncertainty in their proposed amended complaint that they filed before the trial court granted KHN’s Civ.R. 12(B)(6) motion. Therein, the plaintiffs proposed to allege that Duane Sheldon was a high-ranking administrator for KHN and added the allegation that “KHN is responsible for Defendant D. SHELDON’s actions on the grounds of respondeat superior , as his access of the health information, although improper, was within the scope of his duties as a high level administrator at KHN.” (Doc. #27, Plaintiffs’ proposed first amended complaint at ¶ 20). We therefore generously construe the original complaint to mean that plaintiffs in fact are attempting to hold KHN vicariously liable for Duane Sheldon’s actions, which allegedly constituted several torts. Consequently we must determine whether the allegation of respondeat-superior liability could survive dismissal under Civ.R. 12(B)(6). If so, the trial court should either have so construed the original complaint or permitted the plaintiffs’ proposed amendment in that regard. The existing complaint alleges that Duane Sheldon, a KHN administrator, “was not authorized to access the health records of the Plaintiffs” and KHN failed to “detect his unauthorized access” (Complaint at ¶ 9). It also alleges that “Duane Sheldon improperly accessed extremely sensitive medical information” ( Id . at ¶ 10) and shared that information with another KHN employee. He did this by creating “one or more fictitious names * * * to improperly access protected health information.” ( Id . at ¶ 11). The complaint alleges that Sheldon’s actions were “malicious and reckless.” ( Id . at ¶ 22). The proposed amended complaint, which expands on the respondeat superior allegation, contains the same language as in the original and additionally alleges that Duane Sheldon violated the plaintiffs’ privacy by “wrongfully intruding into [plaintiffs’] records and wrongfully publishing such information to third parties.” (Proposed Amended Comp. at ¶ 22). The plaintiffs’ clarification also alleges that “his access of the health information, although improper, was within the scope of his duties as a high level administrator at KHN.” ( Id . at ¶ 20). “It is well-established that in order for an employer to be liable under the
doctrine of respondeat superior, the tort of the employee must be committed within the
scope of employment. Moreover, where the tort is intentional * * * the behavior giving rise
to the tort must be ‘calculated to facilitate or promote the business for which the servant
was employed * * *.’” Byrd v. Faber ,
an apparent contrary conclusion. In Walgreen Co. v. Hinchy ,
servant’s conduct is within the scope of his employment if it is of the kind which he is
employed to perform, occurs substantially within the authorized limits of time and space,
and is actuated, at least in part, by a purpose to serve the master.” Cooke v. Montgomery Cty ., 158 Ohio App.3d 139,
own failure to take reasonable steps, as alleged to be required under HIPAA, to protect the plaintiffs’ health information and to detect Duane Sheldon’s breaches. As noted above, the plaintiffs’ allegations are grounded in the notion that KHN failed to regularly run and monitor the EPIC system CLARITY reports in violation of HIPAA. According to the complaint, “the system protects medical information from being accessed by unapproved personnel to comply with the federal law * * * known as ‘HIPAA.’” (Doc. #1 at ¶ 6). “[T]he cumulative effect of the regular running of these Epic Clarity reports is to detect and deter improper access.” ( Id . at ¶ 7). “Epic reports should be run and reviewed on a consistent and recurring basis * * * to meet the HIPAA Risk Analysis and Management Process.” ( Id . at ¶ 8). Based on the plaintiffs’ own specifically-titled headings of the complaint’s
stated causes of action, they intended to assert common-law causes of action against KHN for invasion of privacy, negligence, negligence per se, negligent training, negligent supervision, intentional infliction of emotional distress, and breach of fiduciary duty. The trial court found these claims subject to Civ.R. 12(B)(6) dismissal because they all essentially alleged violations of HIPAA, or were “HIPAA based,” and the statute does not provide a private right of action. (Doc. #32 at 4-5). As a preliminary matter, it is beyond dispute that HIPAA itself does not
create an express or implied private right of action for violations of its provisions. See ,
e.g ., Acara v. Banks ,
undisputed proposition that Congress did not create a private, statutory right of action to
enforce HIPAA’s terms.
[6]
KHN also cites Boddie v. Van Steyn , 10th Dist. Franklin No.
13AP-623,
relies, we find it imprecise to say that HIPAA “does not allow a private cause of action.”
What we should determine is whether HIPAA prohibits common-law tort claims based on
the wrongful release of confidential medical information unrelated to and independent
from HIPAA itself. Indeed, the State of Ohio has recognized an independent tort for the
“unauthorized, unprivileged disclosure to a third party of nonpublic medical information[.]”
Biddle v. Warren Gen. Hosp .,
{¶ 21}
Arguing that HIPAA “does not allow” such a common-law tort claim is
another way of saying that it preempts one. “It is well settled that the Supremacy Clause
of the federal Constitution grants Congress the power to preempt state law.” Leppla v.
Sprintcom, Inc ., 156 Ohio App. 3d 498,
conduct in a field that Congress intended the Federal Government to occupy exclusively.’ ” Id . “In the case of conflict preemption, state law is preempted ‘where it is impossible for a private party to comply with both state and federal requirements,’ or ‘where state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.’” (Citations omitted). Id . HIPAA is a combination of the statute and the regulations adopted under its
authority. The HIPAA statute states that it “shall supersede any contrary provision of State law.” 42 U.S.C. § 1320d–7(a)(1); see also 45 C.F.R. § 160.203. But the statute specifically directs that any regulations shall not supersede state law that is “more stringent” than the requirements under HIPAA. Section 264(c)(2) of Public Law 104-191. The regulations provide that state law is “contrary” to HIPAA when (1) it is “impossible to comply with both the State and Federal requirements;” or (2) “state law stands as an obstacle to the accomplishment and execution” of the act. 45 C.F.R. § 160.202. The “more stringent” exception is adopted in 45 C.F.R. § 160.203(b). The regulations also explain that a state law is “more stringent” than HIPAA if the state law provides greater privacy protection, provides the patient greater rights of access or access to more information than HIPAA, or narrows the scope or duration of the use or disclosure of information HIPAA would allow. 45 C.F.R. § 160.202. Significantly, “State law means a constitution, statute, regulation, rule, common law , or other State action having the force and effect of law.” (Emphasis added). Id . Upon review, we conclude that HIPAA does not preempt the Ohio
independent tort recognized by the Ohio Supreme Court in Biddle “for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.” Biddle , at paragraph one of the syllabus. However, we further conclude that federal regulations—as opposed to an Ohio statute that sets forth a positive and definite standard of care—cannot be used as a basis for negligence per se under Ohio law. Additionally, in our view utilization of HIPAA as an ordinary negligence “standard of care” is tantamount to authorizing a prohibited private right of action for violation of HIPAA itself, and moreover, in specific regard to plaintiffs’ allegation that monitoring access to medical records was too infrequent, HIPAA does not provide a standard of care as to the frequency of review of information-system activity. We determine that a Biddle claim is not preempted because we fail to see
how such a claim conflicts with HIPAA unless the alleged claim asserts recovery for release of information that HIPAA specifically allows. And although Congress has provided for enforcement of HIPAA by the Secretary of Health and Human Services, 42 U.S.C.S. §§ 1320d–5, 1320d–6, and more recently, by State Attorneys General, see 42 U.S.C.S. § 1320d–5(d), the allowance of recovery of an individual’s damages does not interfere with government enforcement. Therefore, we do not find it is impossible to comply with HIPAA and with state law to the extent we have indicated, and state law is not an obstacle to the accomplishment of HIPAA’s purposes. We believe a Biddle claim enhances the protection of confidentiality of medical information. Despite our agreement that a cause of action still exists for “unauthorized,
unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship,” Biddle, at paragraph one of the syllabus, plaintiffs have not alleged a set of facts that would entitle them to relief under Biddle . Initially we note that none of the titles for the causes of action in the complaint refer to a Biddle -type independent cause of action. The only references to Biddle in the plaintiffs’ various filings and briefs, both here and in the trial court, are references to the Biddle case in arguments associated only with the alleged breach-of-fiduciary-duty claim. In fact, the plaintiffs appear to equate their fiduciary-duty claim with a Biddle claim, arguing: “KHN breached its fiduciary duty of confidentiality as set forth in Biddle by disclosing information to unauthorized employees.” (Appellants’ brief at 10.) But the plaintiffs’ allegations fall short of raising such a claim. As applied to KHN, we conclude, and the hospital does not appear to dispute, that Sheldon’s alleged actions were “unauthorized.” He may have had authority to access any hospital medical record for a legitimate administrative purpose, but not for personal spying on his former spouse or his sharing of that information with a co-worker. It likewise appears the allegations in the complaint are sufficient to conclude that his access and subsequent disclosure were “unprivileged.” The crux of the issue is whether Sheldon’s alleged acts amount to “disclosure” by KHN or “disclosure” for which the hospital may be held legally responsible. We note that the allegations fail to allege that KHN actively or intentionally disclosed anything. Biddle itself dealt with deliberate intentional disclosure of patient
information by a hospital to a law firm to screen patients for SSI eligibility to see if that source could pay patients’ outstanding hospital bills. The attorneys were to be paid a contingency for patients where an SSI claim paid the hospital. For “two and one-half years, the hospital released all of its patient registration forms to the law firm without obtaining any prior consent or authorization from its patients to do so, and without prescreening or sorting them in any way.” Biddle at 395. Under any set of circumstances, pre- or post-HIPAA, with or without reference to HIPAA regulations, the intentional, unauthorized disclosures in Biddle should be actionable. Accordingly, we conclude that the independent tort recognized in Biddle is still viable after HIPAA although the parameters of such a claim may have been impacted by HIPAA preemption. We note that recognition of a Biddle claim post-HIPAA presents a
seemingly unsolvable conundrum. In many cases, as here, whether a release of information is “unauthorized” will not be in question. However, if the validity of authorization is disputed, the parties very well might refer to the specific authorization provisions of the HIPAA privacy rules for guidance. If authorization under Ohio medical privacy law or rules is more relaxed than HIPAA, then Ohio’s less-stringent authorization provisions are not effective because they are preempted by HIPAA. But one could argue that using HIPAA-specific authorization regulations to determine whether release is “unauthorized” allows for the enforcement of HIPAA regulations, which is arguably contrary to the overwhelming conclusion that HIPAA does not provide a private right of action. Because authorization of the release is not in question here, we need not resolve this problem. Although case law delineating the parameters of a Biddle claim is still
developing, the consolidation of other theories of recovery into that recognized tort is certain. In Biddle , as here, the plaintiffs alleged claims for invasion of privacy, intentional infliction of emotional distress, and negligence. The Biddle court reasoned: “[A]s to appellees’ continued insistence that they be entitled to pursue other theories of liability, we agree with the reasoning of the appellate court that these other theories are either unavailable, inapplicable because of their respective doctrinal limitations, or subsumed by the tort of breach of confidence [i.e., a Biddle claim]. Indeed, it is the very awkwardness of the traditional causes of action that justifies the recognition of the tort for breach of confidence in the first place.” Biddle at 408-409; see also Norris v. Smart Document Solutions, LLC , 483 Fed. Appx. 247, 248–49 (6th Cir.2012) (recognizing that a Biddle claim is “its own independent tort [which] forecloses an argument that [plaintiff’s] action should be understood as one for the long-recognized tort of wrongful taking of personal property” known as conversion). Although breach of fiduciary duty is not mentioned as subsumed in Biddle , or as foreclosed as in Norris , we determine that the plaintiffs’ alleged seventh count for breach of fiduciary duty is subsumed along with the other theories, particularly when appellant contends that “KHN breached its fiduciary duty of confidentiality as set forth in Biddle by disclosing information to unauthorized employees.” (Appellants’ Brief at 10). In any event, we decline to recognize the plaintiffs’ alleged “Third Count:
Negligence Per Se,” which undoubtedly is “HIPAA based,”
[7]
for three separate reasons.
First, to the extent that HIPAA universally has been held not to authorize a private right of
action, to permit HIPAA regulations to define per se the duty and liability for breach is no
less than a private action to enforce HIPAA, which is precluded. Second, in Chambers v.
St. Mary’s School ,
“HIPAA-based” claims is whether, based on the alleged facts and reasonable inferences,
it is beyond doubt that the plaintiffs are not entitled to relief on the claim for breach of
confidentiality of medical information. In Scott v. Ohio Dep't of Rehab. & Corr .,
Biddle itself is certainly premised on facts that involved a deliberate and intentional disclosure, but in creating this new tort under Ohio law, the Supreme Court relied on some authorities involving negligence fact patterns. [Citation and summary omitted]. We are therefore unwilling to accept ODRC’s proposal that “unauthorized” disclosure under Biddle equates to “intentional” disclosure. Ultimately, however, considering the matter as one of first impression, we find that under the circumstances outlined in the facts given above, supervised inmate access to trash containing unshredded medical documents does not constitute “disclosure” for purposes of the tort of unauthorized disclosure of medical information as defined by Biddle . * * *
Without precluding that an inadvertent disclosure might, under different facts, fulfill the elements of Biddle , the present case does not. Scott at ¶¶ 29-30. Here, at best, the plaintiffs’ claim against KHN is predicated upon KHN’s
alleged failure to earlier detect Sheldon’s intentional, unauthorized access through procedures required by HIPAA. Consistent with Scott , we determine that the facts alleged do not constitute “disclosure” for purposes of a Biddle breach-of-confidentiality claim. Therefore, we affirm the trial court’s dismissal of the claims albeit as a result of a somewhat different analysis. Despite preemption and the lack of a private right of action, we are aware of
three states that have expressed approval of the use of HIPAA regulations as a standard
of care. Byrne v. Avery Center for Obstetrics and Gynecology , P.C .,
claims were subject to dismissal because they were not adequately pled. This argument pertains to the claims against KHN for invasion of privacy, negligent training, negligent supervision, and intentional infliction of emotional distress. Although KHN raised this argument below, the trial court had no occasion to address it upon finding the claims subject to dismissal on HIPAA-based grounds. Although we have determined that plaintiffs have failed to state a breach of privacy claim, and that the other claims are consolidated therein, including perhaps all these claims subject to alternative arguments, we recognize the import of our holding and therefore address whether the referenced causes of action, if separate, were adequately pled to survive Civ.R. 12(B)(6) dismissal. [8] With regard to the claims against KHN for invasion of privacy, negligent training, negligent supervision, and intentional infliction of emotional distress, KHN argues:
The common elements among each of these causes of action require that KHN must have acted intentionally or failed to act with knowledge of the underlying tortfeasors’ actions. Plaintiffs-Appellants’ Complaint is void of any allegation that KHN acted intentionally to cause Plaintiffs-Appellants harm or that KHN knew that certain employees were accessing medical information without authorization and failed to act. As stated above, Plaintiffs-Appellants’ tort allegations against KHN are based upon KHN’s alleged failure to run certain “CLARITY” reports with sufficient frequency. Even assuming that KHN was required to run these reports with the frequency alleged by Plaintiffs-Appellants and that KHN failed to do so, that does not demonstrate that KHN acted intentionally nor does it demonstrate that KHN knew its employees were accessing medical information without authorization.
(Appellee’s brief at 17). Upon review, we agree with KHN that two of the causes of action at issue,
namely invasion of privacy and intentional infliction of emotional distress, fail to state a
claim upon which relief can be granted because they do not allege KHN acted
intentionally. The plaintiffs’ brief makes clear that they are alleging “wrongful intrusion”
invasion of privacy.
[9]
This theory requires proof of an intentional intrusion upon the
solitude or seclusion of another or his private affairs or concerns. King v. Cashland, Inc .,
2d Dist. Montgomery No. 18208,
emotional distress, which requires a showing that the actor intended to cause emotional
distress or knew, or should have known, that his actions would result in severe emotional
distress. Ratcliff v. Seitz , 2d Dist. Miami No. 2014-CA-9,
training and negligent supervision. The elements of a negligent supervision claim
essentially are the same as those required to prove negligent hiring. Browning v. Ohio
State Hwy. Patrol , 151 Ohio App.3d 798,
constructive knowledge of Duane Sheldon’s incompetent behavior. The relevant behavior here involved his allegedly unauthorized and improper accessing and sharing of the plaintiffs’ electronic health information. Nothing in the complaint suggests that KHN had actual knowledge of this behavior. The complaint alleges the manner in which KHN could be deemed to have constructive knowledge of Sheldon’s access and that is to monitor the EPIC system CLARITY reports to comply with HIPAA security rules. We agree with the trial court that the manner alleged in the complaint for KHN to have discovered Sheldon’s unauthorized access is definitively HIPAA-based. Because we believe allowing such a claim to proceed effectively would allow a private action for damages predicated on HIPAA requirements, recovery based on that part of the complaint is prohibited. We have not found, and the plaintiffs have not cited, an Ohio case supporting a cause of action based on negligent failure to follow HIPAA regulations. We conclude that the trial court correctly dismissed these claims. We again acknowledge that the plaintiffs moved to amend their complaint,
but the proposed amendments would not have cured the fatal deficiencies. The proposed amended complaint retained virtually every allegation found in the original, including the allegations that KHN was negligent in failing adequately to monitor the CLARITY reports from the EPIC system as required by HIPAA. The only proposed changes of substance that could relate to the negligent training or supervision claims are the addition of the following allegations:
9. Although it is not mandated that the EPIC system be used by any controlling authority, it is clear that the standard of care established by HIPAA is that a health entity must take reasonable and prudent steps to safeguard patient information.
10. Complete and apart from any standard of care, KHN has a common law duty to safeguard patient confidential health information.
* * *
12. Defendant KHN, complete and apart from its duty of care established by HIPAA, failed to take reasonable care to safeguard patient health information.
* * *
49. In asserting the above common law claims, Plaintiffs disclaim any attempt at enforcing “HIPAA”. They do not seek civil or criminal penalties against KHN for “HIPAA violations”; rather they seek common law remedies to themselves for damages, as contained in the prayer for relief. Paragraphs 9 and 10 allege only the existence of a common-law duty to
protect patient health information. That is not in dispute. Paragraph 12 merely alleges, in conclusory fashion, that KHN was negligent. But the only factual allegations to support that bare conclusion are all the factual allegations about Duane Sheldon’s intrusion and the HIPAA-induced monitoring KHN allegedly should have done to detect his access. Those factual assertions remain intact in the proposed amended complaint. Finally, paragraph 49 is no more than an attempt by the plaintiffs to distance themselves from what they now recognize is a prohibited HIPAA claim when the bulk of their factual assertions—most importantly with regard to the HIPAA obligations related to monitoring the EPIC CLARITY reports to discover Sheldon’s intrusion—remain unchanged. We reiterate that the proposed amended complaint would not cure the infirmities we have addressed. Based on the reasoning set forth above the assignments of error are
overruled and the trial court’s judgment is affirmed.
. . . . . . . . . . . . .
DONOVAN, J., and WELBAUM, J., concur.
Copies mailed to:
Robert F. Croskery
Doreen Canton
Evan T. Priestle
J. Steven Justice
Glen McMurry
Hon. Timothy N. O’Connell
Notes
[1] Dercola filed suit in her own name and as parent and legal guardian of her minor child, T.D. In addition to KHN, the complaint named Sheldon’s former husband, Duane Sheldon, as a defendant. The claims against Duane Sheldon were voluntarily dismissed, however, after the trial court granted KHN’s Civ.R. 12(B)(6) motion.
[2] The complaint also alleged violations of the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. Those claims were voluntarily dismissed below and are not at issue on appeal.
[3] Although the complaint contains two additional paragraphs of factual allegations after paragraph sixteen, those allegations involve other causes of action that the plaintiffs voluntarily dismissed below.
[4] We recognize that the plaintiffs voluntarily dismissed their claims against Duane Sheldon after the trial court granted KHN’s Civ.R. 12(B)(6) motion. We nevertheless find a discussion of those claims pertinent to our analysis of KHN’s Civ.R. 12(B)(6) motion and the plaintiffs’ motion for leave to amend their complaint.
[5] We note that the proposed amended complaint alleges that “KNH is responsible for
Defendant D. Sheldon’s actions on the ground of respondeat superior , as his access of
the health information, although improper, was within the scope of his duties as a high
level administrator at KHN.” (Proposed Amended Comp. at ¶ 20). We make two
observations in response. First, “[u]nsupported conclusions of a complaint are not
considered admitted * * * and are not sufficient to withstand a motion to dismiss.” State ex
rel. Hickman v. Capots ,
[6] In Henry , the court noted that the plaintiff’s claims actually appeared to be brought under HIPAA, which lacks a private right of action. In Shepherd , the plaintiffs admitted that they did not allege a claim under HIPAA or any tort claims at all. Although HIPAA had nothing to do with the case, the court recognized in a footnote that it does not create a private right of action. In Siegler , the court held that no claim could be brought “under HIPAA” because it lacked a private right of action and that any common law claim would be barred by the Eleventh Amendment, which is not at issue in the present case. Finally, in Wood , the plaintiff actually attempted to bring a claim under HIPAA itself. The court rejected the attempt because “HIPAA does not provide a private cause of action[.]” Although we do not disagree with any of the foregoing findings, none of them address the issue before us.
[7] The negligence per se count of the complaint says only that KHN “violated standards for protecting electronic health information” without reference to HIPAA or any specific statute or regulation to support negligence per se. In their brief, the plaintiffs’ argument makes clear that this claim is referring to “HIPAA requirements.” (Appellant’s Brief at 13).
[8] Ordinarily, we might be inclined to allow the trial court to address an unresolved issue in
the first instance if we were to remand. We need not do so, however, with regard to KHN’s
argument about the adequacy of the plaintiffs’ pleading. That issue, which was raised by
KHN but not addressed by the trial court below, involves a question of law that we review
de novo. Jones v. Xenia , 2d Dist. Greene No. 2011 CA 27,
[9] The Ohio Supreme Court has recognized four types of invasion-of-privacy claims: (1)
unwarranted appropriation or exploitation of one’s personality, (2) publicizing of one’s
private affairs, (3) wrongful intrusion into one’s private activities, and (4) false-light
invasion of privacy. Welling v. Weinfeld ,
[10] We recognize that in Prince v. St. Francis-St. George Hosp., Inc .,