Question: Can a healthcare provider have liability for a Health Insurance Portability and Accountability Act (HIPAA) violation by its employee, when employee’s actions were done in violation of company’s rules of confidentiality?
Answer: Yes, healthcare providers may have liability based upon the doctrine of respondeat superior.
When considering an employer’s liability for the actions of its employee, the general rule is that vicarious liability will be imposed upon an employer under the doctrine of respondeat superior where the employee has inflicted harm while acting within the scope of employment and the employer would not otherwise be liable for its own acts. To fall within the scope of employment, the employee’s injurious act must either (1) be incidental to the conduct authorized or (2) to an appreciable extent, further employer’s business.
Further, the fact that a wrongful act violates an explicit policy or rule of the employer’s does not preclude respondeat superior. The scope of employment may include acts that the employer expressly forbids. Therefore, a healthcare employer may be held vicariously liable for its employee’s misconduct even if the actions in question ran directly counter to their rules or policies, such as the Confidentiality Agreement and the Acknowledgment Regarding Access to Patient Information. When at least some of the actions surrounding employee’s misconduct were authorized, the issue of respondeat superior must be left to the jury.