Court of Appeals Clarifies Liability Under Wisconsin’s Patient Confidentiality Laws
The Wisconsin Court of Appeals recently issued a decision clarifying when a health care provider can face liability under Wisconsin law for failing to maintain the confidentiality of patient health care records. In Wall v. Pahl,1 the court of appeals, in a published decision, determined that a health care provider or its employees cannot be sued for violating Wis. Stat. § 146.82(1) by merely accessing a patient’s records without consent or a valid exception. The court instead interpreted § 146.82(1) as requiring release or disclosure of the patient’s protected health information outside of the organization holding the records for liability to arise. The decision will hopefully reduce the number of HIPAA-based civil lawsuits filed in Wisconsin and help health care providers avoid exposure when an employee reviews a record but simply cannot recall the reason for doing so when litigation is commenced years later.
Wisconsin’s patient confidentiality laws, codified in Wis. Stat. ch. 146, incorporate the federal Health Insurance Portability and Accountability Act’s (HIPAA) general requirement concerning safeguarding patient information. Health care providers, including hospitals and other medical organizations, are required pursuant to Wis. Stat. § 146.82(1) to keep patient health care records confidential, with release of information only permitted with a patient’s informed consent or pursuant to a valid statutory exception. Wisconsin adopts HIPAA’s health care operations exception and provides a list of over 20 other valid reasons for releasing patient information.2
However, Wisconsin law, unlike its federal counterpart, also creates a private cause of action for violations and exposes violators to significant liability.3 Wisconsin Stat. § 146.84(2) awards successful plaintiffs their compensatory damages, exemplary damages of $1,000.00 for a negligent infraction or $25,000.00 for an intentional infraction and, most importantly, actual attorney’s fees.4
Just what conduct can expose a health care provider to liability for violating Wis. Stat. § 146.82(1) was subject to debate prior to the Wall decision. Litigants argued over whether a health care provider’s unlawful access alone was sufficient to state a valid claim or whether the plaintiff also had to prove outside disclosure of the information. At least one circuit court had come down in favor of patients, holding that, based on the language of § 146.82(1) requiring that health care records “shall remain confidential,” access, without disclosure, was sufficient to state a claim.5
In Wall, the court of appeals decided in favor of health care providers, holding that access alone is not enough, and that outside disclosure is also necessary. As a published decision no longer subject to review by the Wisconsin Supreme Court (no petition for review was filed), Wall is now statewide precedent.
The Wall Decision
The Wall case arose from the predominant fact pattern that had been driving litigation arising from a health care provider’s alleged violation of Wis. Stat. § 146.82(1). The plaintiff, Daniel Wall, was a past patient of Gundersen Lutheran Health Systems.6 He requested an audit trail listing all Gundersen staff who accessed his health care records and, after obtaining the results, learned that Gundersen employees Marion Pahl and Jacquelyn Schimke “accessed and observed” his medical records.7 The facts in the Wall decision do not clarify the relationship between Wall, Pahl, or Schimke, or exactly what type of medical information Pahl and Schimke accessed, but the parties did not dispute that Pahl and Shimke did not have Wall’s consent prior to accessing his records, nor did they have a valid reason under HIPAA or Wisconsin law for doing so.8 Wall even requested that Gundersen investigate and disclose the health care reason for Pahl and Schimke’s access, but Gundersen never released that information to him.9
Wall sued Pahl, Schimke, and Gundersen for, among other things, violating Wis. Stat. § 146.82(1), and requested punitive damages under § 146.84(2)— which would have entitled Wall, if able to prove that Pahl and Schimke’s access was intentional, to up to $25,000.00 from each of them.10 Wall’s complaint alleged only that the Gundersen employees accessed his records, but was silent as to whether they released or disclosed any information they learned from those records outside the organization.11 In fact, in later filings, Wall confirmed that his statutory claims against Pahl and Schimke stemmed solely from their failure to gain his informed consent before accessing his records and that he was not alleging that any outside disclosure occurred.12
Pahl and Schimke moved to dismiss Wall’s claims for statutory violations, arguing that Wis. Stat. § 146.82(1) required release or disclosure of Wall’s records outside of the organization in order for liability to ensue. Since Wall’s complaint did not allege that his records were disclosed outside the organization, Paul and Schimke argued that Wall’s complaint failed to state valid claims for statutory violations. The trial court agreed and granted their motion to dismiss.13
Wall appealed. The court of appeals was ultimately tasked with clarifying whether a health care provider can violate Wis. Stat. § 146.82 by simply accessing a patient’s record, or if release or disclosure of the patient-plaintiff’s record is also required. The statutory language at issue, § 146.82(1), provides in relevant part as follows:
All patient health care records shall remain confidential. Patient health care records may be released only to the persons designated in this section or to other persons with the informed consent of the patient or of a person authorized by the patient.14
The Gundersen employees pointed to the term “released” and argued that, to violate § 146.82(1), Wall needed to allege and prove that they released or disclosed his records to someone outside of their health care organization.15 In response, Wall contended that the first sentence of the statute—that records “shall remain confidential”—made mere access sufficient to state a claim and did not also require outside disclosure.
The court of appeals agreed with the defendants, affirmed the trial court, and dismissed Wall’s statutory claims. The court recognized that Wis. Stat. ch. 146 did not define the term “released,” so it reviewed dictionary definitions of the term and its use in other sections in Chapter 146 and HIPAA.16 Importantly, the court noted that the term “released” was synonymous with “disclosure” as used in HIPAA regulations, 45 CFR § 160.103, and that disclosure meant to disseminate information “outside the entity holding the information.”17 But it also found that the term was used in contrary ways in other state and federal statutes. The court therefore decided on an interpretation of the term “released” that it believed was reasonable in order to “avoid absurd or unreasonable results.”18
The court held that the statute’s use of the term “released” required the dissemination or disclosure of the patient’s records outside the organization holding the records.19 The court held that simply accessing a patient’s record without consent or pursuant to a valid exception did not amount to a violation of Wis. Stat. § 146.82(1). The court explained the reasoning behind its interpretation in a hypothetical that highlighted the difficulty posed by defending a breach of confidentiality claim years after the alleged access occurred:
When sued by a patient, possibly years after the fact, an employee would be faced with the difficult, potentially impossible, task of proving why he or she accessed a particular patient record in order to show that the access fell within one of the permissible circumstances set forth in § 146.82(2).20
Simply put, the court felt that a health care provider should not face liability under Wis. Stat. § 146.82(1), and possible punitive damages, simply because it was unable to recreate an employee’s access andthe employee could not recall the reason for the same. A provider, rather, should be liable only if its employees accessed and disclosed protected information to the public.
Maybe the most important takeaway from the court’s decision is that the underlying reason for the health care provider’s access in not important. So, even though Pahl and Schimke did not have Wall’s consent or a valid purpose for accessing his records, they were still free from liability because they did not disclose the information in any way.
The court of appeals’ decision did not mean that the defendants walked away unscathed, however. Wall argued that precluding otherwise valid claims against a health care provider because the information was not released would give health care providers carte blanche to access any records without consequence so long as they only shared the information internally. The court disagreed with Wall and recognized that a health care provider’s internal access to records is not the type of conduct governed by Wisconsin law.21 Rather, the protection of patient information and access that occurs within an organization is regulated by HIPAA. And while HIPAA does not permit a private cause of action for unlawful access, such conduct is still subject to civil and criminal penalties enforced by the Office for Civil Rights—the entity responsible for enforcing HIPAA’s security and privacy rules.22 So Pahl and Schimke, while avoiding civil liability in state court, still subjected Gundersen to federal fines. And of course, they also faced possible termination or other discipline from their employer or a licensing agency such as the Wisconsin Board of Nursing or Department of Safety and Professional Responsibility.
The court also discussed the potential ramifications that Wall’s interpretation of Wis. Stat. § 146.82(1) could have on health care organizations. Such claims, while usually based on a single employee’s access, are oftentimes attacks on an organization’s policies and practices. For example, an aggrieved patient could argue that the organization failed to provide proper confidentiality training to its employees or failed to prevent access to records beyond the duties of a certain job role. The Wall court recognized the inherent difficulty with defending these allegations. The court noted that holding a hospital liable any time an employee accessed a record would result inhospitals being forced to put in place systems that either verified an employee’s access was permissible each time he or she tried to access a patient record or required the employee to document his or her reasons for accessing a record each time he or she did so.23
Requiring such policies or practices would “place too unreasonable a burden” on hospitals and their employees.24 The court stated that it could not “fathom that the legislature intended to impose that type of burden when it enacted Wis. Stat. § 146.82.”25
The Wall decision represents a strong position in favor of health care providers. The decision takes into account the difficulty of defending HIPAAbased breach cases years after the conduct actually takes place. It also recognizes that a health care organization should not be held to an impossible standard when safeguarding patient information, especially in light of federal monetary penalties that are already in place to deter less harmful internal access.
Ryan Wiesner is an associate with the newly founded Leib Knott Gaynor LLC out of Milwaukee. Ryan focuses on defending complex litigation in state and federal courts across the country, mostly representing clients in matters involving professional negligence, civil rights, products liability, and commercial disputes. He can be contacted at firstname.lastname@example.org.
1 2016 WI App 71, ___ Wis. 2d ___, ___ N.W.2d ___.
2 Wis. Stat. § 146.82(1) and (2).
3 See Wis. Stat. §§ 146.82, 146.83, 146.84.
4 Wis. Stat. § 146.84(2)(a) and (b).
5 See Gulotta v. Thedacare, Inc., et al., Outagamie County Circuit Court case no. 12-CV-1482.
6 2016 WI App 71, ¶ 3.
9 Id., ¶ 4.
10 Id., ¶ 5.
12 Id., ¶ 6.
13 Id., ¶¶ 6-7.
14 Wis. Stat. § 146.82(1) (emphasis added).
15 2016 WI App 71, ¶ 11.
16 Id., ¶¶ 14-19, 21.
17 Id., ¶ 16.
18 Id., ¶¶ 17-21 (citing State ex. rel. Kalal v. Circuit Court for Dane County, 2004 WI 58, 271 Wis. 2d 633, 681 N.W.2d 110).
19 Id., ¶ 21.
20 Id., ¶ 22.
21 Id., ¶ 25.
22 Id., ¶¶ 24-25 (citing Seaton v. Mayberg, 610 F.3d 530, 533 (9th Cir. 2010)).
23 Id., ¶ 23.
24 Id. (quoting Colla v. Mandella, 1 Wis. 2d 594, 599, 85 N.W.2d 345 (1957)).