Opinion
113264
07-25-2024
KATHLEEN KEYSE, Plaintiff-Appellant, v. CLEVELAND CLINIC FOUNDATION, Defendant-Appellee.
Mishkind Kulwicki Law Co., L.P.A, and David A. Kulwicki; Flowers & Grube, Paul W. Flowers, and Louis E. Grube, for appellant. Tucker Ellis LLP, Susan M. Audey, Elisabeth C. Arko, Edward E. Taber, and Kelli R. Novak, for appellee.
Civil Appeal from the Cuyahoga County Court of Common Pleas Case No. CV-22-961897:
Mishkind Kulwicki Law Co., L.P.A, and David A. Kulwicki; Flowers & Grube, Paul W. Flowers, and Louis E. Grube, for appellant.
Tucker Ellis LLP, Susan M. Audey, Elisabeth C. Arko, Edward E. Taber, and Kelli R. Novak, for appellee.
JOURNAL ENTRY AND OPINION
KATHLEEN ANN KEOUGH, ADMINISTRATIVE JUDGE
{¶1} Plaintiff-appellant, Kathleen Keyse ("Keyse"), appeals from the trial court's judgment granting the motion for summary judgment of defendant-appellee, Cleveland Clinic Foundation ("Cleveland Clinic"). We affirm.
I. Background
{¶2} Keyse, in a refiled action, sued Cleveland Clinic in April 2022, asserting claims for (1) breach of fiduciary duty; (2) violation of right to privacy; (3) fraud; and (4) punitive damages. The gist of Keyse's complaint was that one of Cleveland Clinic's employees, Diane Shepherd ("Shepherd"), who is Keyse's sister, electronically accessed Keyse's medical information on several occasions between June and October 2020 without a business reason to do so. In short, Keyes alleged that Shepherd "snooped" into Keyse's medical records for her own personal reasons. In her deposition, Shepherd admitted that she improperly accessed Keyse's electronic medical record but said she never disclosed the information to anyone else. Shepherd also said that Cleveland Clinic sanctioned her for her improper conduct by issuing her a final written warning and putting her on probation for two years.
{¶3} After discovery, Cleveland Clinic moved for summary judgment on all of Keyse's claims. The trial court denied the motion as to all claims except Keyse's claim for punitive damages, which the trial court found Keyse had withdrawn.
{¶4} The case progressed and the parties prepared for trial. On the eve of trial, Keyse withdrew her claims for breach of fiduciary duty and fraud, leaving only her medical-privacy claim, which Keyse's counsel acknowledged in an email to Cleveland Clinic counsel was a Biddle claim.
As will be discussed in more detail below, in Biddle v. Warren Gen. Hosp., 86 Ohio St.3d 395 (1999), the Ohio Supreme Court recognized a separate tort for the unauthorized disclosure of confidential medical information. Such a claim is now known as a Biddle claim. In his April 12, 2023 email to Cleveland Clinic's counsel, Keyse's counsel wrote, "This email will confirm that I will only be pursuing the Biddle claim at trial."
{¶5} Cleveland Clinic then filed seven motions in limine to exclude at trial: (1) evidence of Keyse's alleged emotional damages; (2) any allegations of disclosure of medical information to a third party; (3) reference to other reported impermissible access events involving other patients; (4) Keyse's vicarious liability argument as to Shepherd; (5) evidence of Keyse's withdrawn claims and prayer for punitive damages; (6) to enforce Ohio's statutory damages cap; and (7) preclude argument on expert issues not supported by an expert witness. The trial court granted all seven motions.
{¶6} Cleveland Clinic then moved for summary judgment on Keyse's Biddle claim, her sole remaining claim for trial. Keyse opposed the motion. The trial court subsequently granted the motion, finding that Keyes "failed to present any evidence of a disclosure of [her] nonpublic medical information to a third party, as required by Biddle. Therefore, the court finds that [Keyse's] claim fails as a matter of law and [Cleveland Clinic] is entitled to judgment in its favor." This appeal followed.
II. Law and Analysis
A. Summary Judgment
{¶7} In her first assignment of error, Keyse contends that the trial court erred in granting Cleveland Clinic's motion for summary judgment.
{¶ 8} We review summary judgment rulings de novo, applying the same standard as the trial court. Grafton v. Ohio Edison Co., 77 Ohio St.3d 102, 106 (1996). We accord no deference to the trial court's decision and conduct an independent review of the record to determine whether summary judgment is appropriate. Brewer v. Cleveland Bd. of Edn., 122 Ohio App.3d 378, 383 (8th Dist. 1997).
{¶ 9} Under Civ.R. 56(C), summary judgment is appropriate when no genuine issue exists as to any material fact and, viewing the evidence most strongly in favor of the nonmoving party, reasonable minds can only reach a conclusion that is adverse to the nonmoving party. The party moving for summary judgment has the initial burden of identifying specific facts in the record that demonstrate an entitlement to summary judgment. Dresher v. Burt, 75 Ohio St.3d 280, 292-293 (1996). If the movant fails to meet this burden, summary judgment is not appropriate. Id. If the moving party meets this burden, the burden shifts to the nonmoving party to point to specific facts in the record that demonstrate the existence of a genuine issue of material fact for trial. Id.
{¶10} "In general, a person's medical records are confidential. Numerous state and federal laws recognize and protect an individual's interest in ensuring that his or her medical information remains so." Hageman v. Southwest Gen. Health Ctr., 2008-Ohio-3343, ¶ 9. The Ohio Supreme Court explicitly recognized and applied this principle of confidentiality in Biddle, 86 Ohio St.3d 395, where it "recognized that the breach of patient confidentiality is a palpable wrong" but that "such an injury is difficult to remedy appropriately." Id. at ¶ 10. Finding the various methods that courts had developed to address such claims (including theories like invasion of privacy, defamation, breach of contract, and others) to be ill-suited for addressing a breach-of-confidence situation, the Biddle Court recognized a separate tort for breach of confidentiality related to medical information. Id. at ¶ 11.
In establishing the tort, the Ohio Supreme Court made clear that other common law claims are not available where a Biddle claim exists:
As to appellees' continued insistence that they be entitled to pursue other theories of liability, we agree with the reasoning of the appellate court that these other theories are either unavailable, inapplicable because of their respective doctrinal limitations, or subsumed by the tort of breach of confidence [i.e., a Biddle claim]. Indeed, it is the very awkwardness of the traditional causes of action that justifies the recognition of the tort for breach of confidence in the first place.Biddle at 408-409. See also Sheldon v. Kettering Health Network, 2015-Ohio-3268, ¶ 29 (2d Dist.) ("Although case law delineating the parameters of a Biddle claim is still developing, the consolidation of other common law theories of recovery into that tort is certain.").
{¶11} The Court defined the boundaries of the new tort by recognizing two related causes of action: one against physicians and hospitals that disclose confidential medical information to a third party without authorization or privilege to do so, and one against third parties who induce physicians or hospitals to disclose such information. Id., citing Biddle at paragraphs one and three of the syllabus.
{¶12} Setting forth the elements of the claim, the Biddle Court stated, "in Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship." Biddle at paragraph one of the syllabus.
{¶13} Keyse contends that Cleveland Clinic admitted that Shepherd improperly accessed her electronic medical records on several occasions and that Shepherd's unauthorized access constitutes an unprivileged disclosure to a third party under Biddle sufficient to justify a denial of summary judgment and, therefore, a reversal of the trial court's judgment. (Appellant's brief, p. 14.) She also contends that summary judgment should have been denied because reasonable jurors could conclude that Cleveland Clinic was obligated under the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), which prevents healthcare providers from disclosing health information except in certain specific circumstances, to undertake more efforts to protect her from Shepherd's unauthorized access to her confidential medical records. (Appellant's brief, p. 15.)
{¶14} Cleveland Clinic, on the other hand, argues that the trial court properly granted summary judgment in its favor because (1) a Biddle claim requires disclosure to an "outside" third party, which Cleveland Clinic asserts means an entity or person outside the walls of the hospital, which did not happen in this case; (2) in any event, Cleveland Clinic made no intentional or unintentional disclosure of any kind; rather, Shepherd improperly accessed Keyse's confidential medical information for a nonbusiness use; and (3) the narrowly tailored medical-privacy claim under Biddle exists independent of HIPAA and although HIPAA may provide guidance to courts regarding the contours of a Biddle claim, it does not expand Biddle so that an alleged regulatory violation of HIPAA is actionable under a breach- of-confidence claim under Biddle. (Appellee's brief, p. 13, 15, 17.)
{¶15} Keyse responds that Shepherd was the "third party" to which her nonpublic medical information was disclosed because
"disclosure to a third party" as used in the Biddle syllabus most aptly and reasonably should be interpreted to apply to a hospital's impermissible disclosure to any person, employee or not, who has no legitimate business or medical reason for having access to the patient's confidential information.(Appellant's reply brief, p. 3.) She contends that the trial court should therefore have denied summary judgment because there are disputed issues of fact over whether Shepherd qualifies as a third party under Biddle.
{¶16} We need not resolve the issue of whether Shepherd qualifies in these circumstances as a third party under Biddle or whether disclosure must be outside the walls of the entity holding the information because our review of the record demonstrates that Cleveland Clinic made no disclosure whatsoever of Keyse's confidential medical information and, therefore, Keyse's Biddle claim fails as a matter of law.
{¶17} The breach of confidence tort recognized in Biddle requires "the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship." Biddle, 86 Ohio St.3d at 523. A Biddle claim therefore requires a disclosure. According to Black's Law Dictionary, "disclosure" is "[t]he act or process of making known something that was previously unknown." Black's Law Dictionary (11th Ed. 2019). But Cleveland Clinic did not do any act, either intentionally or unintentionally, that made Keyse's medical information known to anyone. Rather, as Shepherd admitted in her deposition, she improperly accessed her sister's confidential medical information entirely on her own without authorization to do so.
{¶18} Ohio courts and federal courts interpreting Biddle claims under Ohio law have refused to allow plaintiffs to pursue Biddle claims where third parties wrongfully intercepted or accessed the plaintiffs' privileged medical information and the defendants did not disseminate or disclose the information either intentionally or unintentionally. For example, in Scott v. Ohio Dept. of Rehab. & Corr., 2013-Ohio-4383 (10th Dist.), ten inmates at the Mansfield Correctional Institution filed suit against the Ohio Department of Rehabilitation and Correction ("ODRC") asserting a Biddle claim after their names and HIV-positive medical status were listed on pharmacy documents that were left in trash cans that were accessible to other inmates who found the documents and then disseminated them to the general inmate population, to the detriment of the plaintiffs. Id. at ¶ 8. Recognizing "the known propensity of some inmates to ingeniously and maliciously exploit any opportunity for leverage over staff or fellow inmates," id. at ¶ 30, the appellate court affirmed the trial court's grant of summary judgment to ODRC on the inmates' Biddle claim, finding that "supervised inmate access to trash containing unshredded medical documents does not constitute 'disclosure' for purposes of the tort of unauthorized disclosure of medical information as defined by Biddle." Id. at ¶ 29.
{¶19} Likewise, in Foster v. Health Recovery Servs., 493 F.Supp.3d 622 (S.D.Ohio 2020), the defendant learned that its network had been breached when an unauthorized IP address remotely accessed its computer network and obtained the personal information of its clients, including the plaintiff. The plaintiff filed a Biddle claim based on the unauthorized disclosure of his health information to third parties. Id. at 629. The Foster Court found that the plaintiffs allegations were insufficient to state a Biddle claim because the "[defendant did not commit an intentional or unintentional act of disclosure. Instead, what is alleged is that a third party has exploited [defendant's security weakness to access the information without [defendant's authorization." Id. at 636.
{¶20} In Tucker v. Marietta Area Health Care, Inc., S.D.Ohio Nos. 2:22-cv-184, 2:22-cv-221, and 2:22-cv-385, 2023 U.S. Dist. LEXIS 13974 (Jan. 26, 2023), the defendant, a regional medical services business, was the target of a cyberattack during which the hacker gained access to defendant's computer system and acquired the protected health information of defendant's current and former patients. Id. at *2. The plaintiff sued, asserting various common law claims against the defendant. The defendant filed a motion to dismiss all of the plaintiffs claims, arguing that they were preempted under Biddle. The district court disagreed, finding that "Biddle applies only when a defendant has made a disclosure." Id. at *8. The court reasoned that because the case involved unauthorized access to the plaintiffs medical information by a third party, and not a disclosure by the defendant, Biddle did not apply. Id.
{¶21} Similarly, in Sheldon v. Kettering Health Network, 2015-Ohio-3268 (2d Dist.), the court found that "the facts alleged [did] not constitute a 'disclosure' for purposes of a Biddle breach-of-confidentiality claim" against the defendant health care organization where one of the defendant's employees "intentionally and improperly" accessed the defendant's software system to obtain his ex-wife's electronic medical information and then shared that information with his lover, who was also a co-worker. Id. at ¶ 13, 33. The court found that the employee's actions were clearly "unauthorized" because although he "may have had authority to access any hospital medical record for a legitimate administrative purpose," he did not have authority to access the defendant's software "for personal spying on his former spouse or his sharing of that information with a co-worker." Id. at ¶ 26. Accordingly, because the facts did not constitute a "disclosure" by the health care organization, but rather the deliberate, unauthorized access to the information by an employee, the court affirmed the trial court's dismissal of the plaintiffs claims. Id.
{¶22} Finally, in Kennedy v. Corrado, Hamilton C.P. No. A1900656, 2019 Ohio Misc. LEXIS 7130 (May 30, 2019), the trial court found that allegations that an employee of the defendant healthcare organization accessed the plaintiffs medical records without authorization to do so and then shared those records with others did not constitute a "disclosure" by the healthcare organization for purposes of a Biddle claim and dismissed the plaintiffs claim. Id. at *4.
{¶23} Contrary to Keyse's argument that these cases are "inapposite" to the facts of this case, we find them directly on point. Just as in Scott, Sheldon, Tucker, Foster, and Kennedy, this case involves the deliberate unauthorized access of the plaintiffs medical information by a third party. There are no facts suggesting that Cleveland Clinic either intentionally or unintentionally disclosed Keyse's confidential medical information to Shepherd. Instead, the evidence is clear that Shepherd acted willfully, improperly, and entirely on her own to gain access to Keyse's confidential medical information. Although as a Cleveland Clinic employee Shepherd was authorized to access Keyse's medical records for a legitimate business purpose, she was not authorized to access them for her own personal reasons, which she admitted she did when she "snooped" into Keyse's records. Accordingly, just as in the preceding cases, Shepherd's unauthorized, intentional, deliberate "snooping" into her sister's records does not constitute a "disclosure" by Cleveland Clinic under Biddle. Because there is no evidence that the Cleveland Clinic disclosed Keyse's medical information to anyone, Keyse cannot prove an essential element of her Biddle claim and, therefore, the trial court properly granted Cleveland Clinic's motion for summary judgment on her claim.
{¶24} Any argument by Keyse that the trial court should have denied summary judgment because a jury could reasonably conclude that Cleveland Clinic should have done more under HIPAA to protect the release of her information to Shepherd is wholly without merit. Although HIPAA may provide guidance for establishing Biddle liability, "it is well-settled that a HIPAA violation does not create a private cause of action for the party whose information has been released." Menorah Park Ctr. for Senior Living v. Rolston, 2020-Ohio-6658, ¶ 36. Thus, allowing the jury to consider Cleveland Clinic's compliance with HIPAA despite the failure of Keyse's Biddle claim would in effect create a private cause of action for Keyse under HIPAA, something the law clearly does not allow.
{¶25} The first assignment of error is overruled.
B. Motions in Limine
{¶26} In her second assignment of error, Keyse contends that the trial court abused its discretion in granting Cleveland Clinic's motions in limine.
{¶27} "It is well-settled that the granting or denial of a motion in limine is a tentative, interlocutory precautionary ruling reflecting the trial court's anticipatory treatment of an evidentiary issue which the trial court may change at trial when the disputed evidence appears in context." State v. Taylor, 2004-Ohio-3115, ¶ 6 (8th Dist.), citing State v. Grubb, 28 Ohio St.3d 199, 201 (1986). "'A preliminary ruling has no effect until it is acted upon at trial'" and hence, is not a final appealable order. Liebe v. Admin., 2014-Ohio-1834, ¶ 9 (8th Dist.), quoting State v. Kulasa, 2012-Ohio-6021, ¶ 20 (10th Dist.).
{¶28} Cleveland Clinic contends that it would be premature for this court to address Keyse's arguments regarding the motions in limine because the trial court's rulings were conditional, interlocutory rulings that were not decided in the context of a full trial and, thus, for us to address Keyse's arguments regarding the motions in limine would be "tantamount to giving advisory opinions on questions not properly before this court." (Appellee's brief, p. 36.) Once a final judgment is rendered, however, all interlocutory orders are merged into the final judgment of the trial court and become appealable. Marc Glassman, Inc. v. Fagan, 2006-Ohio-5577, ¶ 11 (8th Dist.).
{¶29} Nevertheless, this assignment is error is rendered moot by our disposition of the first assignment of error affirming the trial court's grant of summary judgment to Cleveland Clinic. Accordingly, the second assignment of error is overruled. See App.R. 12(A)(1)(c).
{¶30} Judgment affirmed.
It is ordered that appellee recover from appellant costs herein taxed.
The court finds there were reasonable grounds for this appeal. It is ordered that a special mandate be sent to said court to carry this judgment into execution.
A certified copy of this entry shall constitute the mandate pursuant to Rule 27 of the Rules of Appellate Procedure.
EILEEN A. GALLAGHER, J, and LISA B FORBES, J, CONCUR