A hospital group and its former employee at odds over her unauthorized access of confidential patient records aren’t quite finished with their legal battle, the Court of Appeals of Indiana ruled Wednesday.
For nearly two years, former Franciscan Alliance employee Christina A. Padgett accessed a specific patient’s confidential protected health information in violation of a workforce confidentiality agreement. Padgett accessed the confidential patient information between October 2012 and April 2014 in order to learn “when the patient would be at Padgett’s workplace so that Padgett could avoid the patient’s alleged harassment” of her.
In 2018, four years after Padgett had resigned, the state of Indiana filed a lawsuit in federal court against Franciscan for its alleged violations of the Health Insurance Portability and Accountability Act of 1996, or HIPAA.
The state alleged Franciscan had inadequate procedures in place to protect patients’ PHI relating to information access monitoring, responses to security incidents and termination of unauthorized access to patient information. It further alleged that Franciscan failed to retain written records of its policies and procedures as required under HIPAA, and that it had not updated its policies in a timely manner. Finally, the state argued that Padgett accessed the information when it wasn’t required for her work and that Franciscan didn’t know about it until after the patient complained, yet still did nothing to end it before Padgett resigned.
Franciscan and the state settled in August 2018, with Franciscan agreeing to pay $80,000 and to comply with specified HIPAA regulations regarding Franciscan’s policies and procedures, including implementing policies and procedures relating to information access monitoring and responses to security incidents.
The next month, Franciscan sued Padgett for breach of contract, breach of fiduciary duty, negligence and indemnification claims. It sought an order that Padgett pay the $80,000 Franciscan had paid to settle the HIPAA lawsuit.
The Marion Superior Court denied Franciscan’s summary judgment motion and granted Padgett’s summary judgment motion on all of Franciscan’s claims. However, it did deny Padgett’s motion for summary judgment on her counterclaim that Franciscan brought an allegedly frivolous lawsuit and entered judgment for Franciscan on that claim.
The Court of Appeals of Indiana partially affirmed and reversed in Franciscan Alliance, Inc. v. Christina A. Padgett, 21A-PL-1738, finding first that the trial court erred in granting Padgett summary judgment and denying it to Franciscan on the issue of timeliness. The COA held that Franciscan’s claims did not accrue and that the statute of limitations did not begin to run until August 2018, at the earliest.
“Even assuming, arguendo, the existence of a contract and the existence of a duty owed by Padgett to Franciscan, summary judgment is not appropriate because there are genuine issues of material fact regarding whether Padgett breached the contract and/or her common law duty,” Judge L. Mark Bailey wrote for the COA.
“The Agreement between Padgett and Franciscan states that Padgett will access confidential information only for ‘legitimate business purposes.’ However, neither the document itself nor any of the designated evidence establish the meaning of that term,” Bailey continued.
The appellate court also concluded that neither party designated evidence establishing whether Padgett was authorized to access the confidential patient information at issue or, if not, whether her unauthorized actions caused the damages Franciscan incurred in the state’s HIPAA lawsuit against it.
“Therefore, as to Franciscan’s contract, tort, and indemnification claims, we affirm denial of summary judgment for Franciscan, reverse summary judgment in favor of Padgett, and remand for further proceedings consistent with this decision,” the court concluded.