                           STATE OF MICHIGAN

                           COURT OF APPEALS



ANGELA RENEE WARE,                                               UNPUBLISHED
                                                                 November 4, 2014
              Plaintiff-Appellee,

V                                                                No. 307886
                                                                 Kalamazoo Circuit Court
BRONSON METHODIST HOSPITAL,                                      LC No. 2010-000635-NZ

              Defendant-Appellant,
and

PATRICIA MARIE WARK,

              Defendant.



Before: RONAYNE KRAUSE, P.J., and HOEKSTRA and WHITBECK, JJ.

RONAYNE KRAUSE, P.J. (dissenting).

               Defendant Patricia Wark, a nurse employed by defendant Bronson Methodist
Hospital, repeatedly accessed the confidential medical record of plaintiff Angela Renee Kratzer
(formerly Angela Renee Ware), a Bronson Hospital patient. The Hospital admits that Wark was
not one of Kratzer’s healthcare providers and should not have viewed Kratzer’s records. The
Hospital further concedes that when admitted to the Hospital, Kratzer feared Wark would
attempt to read her medical record, warned the Hospital of this possibility, and specifically
directed the Hospital not to “share” her health information with Wark.

        When Wark disclosed the illegally accessed confidential information in a child custody
proceeding, Kratzer sued Wark and the Hospital. As to the Hospital, Kratzer’s complaint sets
forth several liability theories. One theory focuses on the Hospital’s policies and procedures
addressing the confidentiality of medical information. Kratzer’s complaint avers that the
Hospital negligently failed to adopt “appropriate policies and procedures for safeguarding,
protecting, and ensuring the confidentiality of a patient’s protected health information from
unauthorized access,” and raised several other claims related to the Hospital’s medical record
access policies. One issue presented is whether Kratzer’s policy and procedure claims sound in
negligence or in medical malpractice.




                                              -1-
       The majority holds that “[t]o determine whether the Hospital’s policies and procedures
were appropriate, the jury would necessarily have to balance what information doctors, nurses,
and medical staff require to make medical decisions against the patients’ rights to confidentiality
under various laws.” Ante at 10. According to the majority, “[a] jury cannot determine whether
an employee will need health information to do his or her job without knowing and
understanding what information several types of hospital employee – doctors, nurses, and other
medical staff—reasonably require to make medical decision.” Id. Thus, the majority concludes,
Kratzer’s claim concerning hospital policies sounds in medical malpractice rather than in
negligence.

       I respectfully dissent. In my view, designing policies and procedures that adequately
safeguard a patient’s right to confidentiality does not require an exercise of medical judgment.
Contrary to the majority’s view, no standards of medical care dictate the privacy rights of
hospital patients. Rather, the questions presented are legal, technological, and administrative.
Clearly, expert testimony is necessary. However, the expert testimony critical to Kratzer’s case
has nothing to do with the medical standards of care expected of health care professionals.
Accordingly, I would hold that a jury should decide Kratzer’s policy and procedure claims.



        I would not have addressed the Hospital’s statute of frauds argument regarding plaintiff’s
breach of implied contract claim for the first time on appeal, but the majority’s recitation of
MCL 566.132 is accurate. I respectfully disagree with the majority’s conclusion that any of
plaintiff’s claims sound in medical malpractice.

       In Bryant v Oakpointe Villa, 471 Mich 411, 422; 684 NW2d 864 (2004), our Supreme
Court set forth the two “defining characteristics” of a medical malpractice clam:

       First, medical malpractice can occur only “‘within the course of a professional
       relationship.’” [Dorris v Detroit Osteopathic Hosp Corp, 460 Mich 26, 45; 594
       NW2d 455 (1999) (internal quotation omitted)]. Second, claims of medical
       malpractice necessarily “raise questions involving medical judgment.” Id. at 46.
       Claims of ordinary negligence, by contrast, “raise issues that are within the
       common knowledge and experience of the [fact-finder].” Id. Therefore, a court
       must ask two fundamental questions in determining whether a claim sounds in
       ordinary negligence or medical malpractice: (1) whether the claim pertains to an
       action that occurred within the course of a professional relationship; and (2)
       whether the claim raises questions of medical judgment beyond the realm of
       common knowledge and experience. If both these questions are answered in the
       affirmative, the action is subject to the procedural and substantive requirements
       that govern medical malpractice actions.

Clearly and undisputedly, the relationship here was professional. However, protecting private
client information is inherent in almost any professional relationship and a great many ordinary
business relationships as well. The fact that the information happened to be medical in nature
has no bearing on the essentially administrative judgment necessary to protect it, either in the
abstract or, as here, from an anticipated and specific known threat. Bryant’s second inquiry

                                               -2-
directs us to examine “whether the claim raises questions of medical judgment requiring expert
testimony or, on the other hand, whether it alleges facts within the realm of a jury’s common
knowledge and experience.” Id. at 423. “If the reasonableness of the health care professionals’
action can be evaluated by lay jurors, on the basis of their common knowledge and experience, it
is ordinary negligence. If, on the other hand, the reasonableness of the action can be evaluated
by a jury only after having been presented the standards of care pertaining to the medical issue
before the jury explained by experts, a medical malpractice claim is involved.” Id. Simply put,
there is nothing medical about the protection of confidential client/patient information.

        The majority declares that “multiple medical standards of care” factor into the creation of
confidentiality policies, ante at 10, emphasis in original, but supports this sweeping, conclusory
statement with neither analysis nor examples. In my view, a single standard of care bears
relevance to hospital confidentiality policies, and a lay jury can easily evaluate that standard
without assistance from medical experts. In a nutshell, that standard provides that patients have
a right to keep confidential the details of their medical care and treatment. Perhaps this right of
confidentiality dates back to adoption of The Hippocratic Oath, a provision of which provides: “I
will respect the privacy of my patients, for their problems are not disclosed to me that the world
may know.” Stedman’s Medical Dictionary (28th ed), pp 890-891.

        The Michigan Supreme Court recognized this fundamental principle more than 130 years
ago in DeMay v Roberts, 46 Mich 160; 9 NW 146 (1881). In that case, Dr. DeMay brought “an
unprofessional young unmarried man” with him to “the childbed” of Mrs. Roberts. Dr. DeMay’s
companion “could hear at least, if not see all that was said and done” during the ensuing
childbirth. Id. at 165. The Supreme Court found that a violation of Mrs. Robert’s right to
privacy permitting the recovery of “substantial damages,” declaring:

       It would be shocking to our sense of right, justice and propriety to doubt even but
       that for such an act the law would afford an ample remedy. To the plaintiff the
       occasion was a most sacred one and no one had a right to intrude unless invited or
       because of some real and pressing necessity which it is not pretended existed in
       this case. The plaintiff had a legal right to the privacy of her apartment at such a
       time, and the law secures to her this right by requiring others to observe it, and to
       abstain from its violation. Id. at 165-166.

        The standard of care articulated in DeMay is easily understood by laypersons. It does not
differ among obstetricians, anesthesiologists, or pediatricians. In fact, since this standard of care
does not involve medical expertise but privacy concerns in general, it also applies to any other
setting in which privacy rights are implicated, such as an attorney/client relationship. 1 For the
present case it is important to note that just because the privacy issue arose in a medical setting
over medical information does not mean medical experts are required. Private medical


1
  The phrase ‘standard of care’ can apply to a variety of concepts. In this case, the majority
refers to a medical standard of care. However, since this case involves not a medical issue but a
privacy issue, the phrase ‘standard of care’ refers not to anything medical, but to the standard of
care involving the duty to ensure the privacy of a patient’s confidential information.


                                                -3-
information must be kept private. Numerous statutes incorporate this basic axiom. See MCL
333.26261 et seq (The Medical Records Act), MCL 330.1748 (mental health records), MCL
333.20170 (Public Health Code, medical records access and compliance), MCL 333.20201 (Public
Health Code, patient rights), MCL 333.21515 (Mental Health Code, confidentiality of records),
Michigan Administrative Code 324.1028 (minimum standards for hospitals).

        Legal necessities sometimes intrude on a patient’s right to privacy. For example, a
patient’s receipt of insurance benefits may be conditioned on a waiver of some aspects of the
physician-patient relationship. Similarly, a plaintiff in a personal injury case may be required to
waive the patient/physician privilege to recover damages for injury. Such waivers are exceptions
to the rule of confidentiality and must be taken into account in privacy policies. However, the
relationships giving rise to waivers are of no moment here, because the standard of care owed to
Kratzer does not implicate any waiver. That standard required the Hospital to maintain her
records in a manner that prevented access to unprivileged parties, particularly Wark. How that
standard should have been implemented implicates practical questions such as the design of a
computer records system.2 However, it has nothing to do with a standard of care regarding
anything other than privacy.

       Nor does an analysis of medical record policies and procedures call for the exercise of
medical judgment. The duty to protect medical records from prying eyes may have originated
with Hippocrates, but it is now clearly elucidated in HIPAA regulations compelling a hospital to:

        (1) Ensure the confidentiality, integrity, and availability of all electronic
       protected health information the covered entity or business associate creates,
       receives, maintains, or transmits.

       (2) Protect against any reasonably anticipated threats or hazards to the security or
       integrity of such information .

       (3) Protect against any reasonably anticipated uses or disclosures of such
       information that are not permitted or required under subpart E of this part.

       (4) Ensure compliance with this subpart by its workforce. 45 CFR § 164.306.




2
  This Court’s internal docketing and case management system locks certain users out of data
available to other users. For example, judges cannot access portions of the system used by the
clerk’s office. Research attorneys cannot access aspects of the system available to judges. How
the system creates its pathways and blockades is beyond my understanding. However, it most
certainly does not involve a legal standard of care. This Court’s programmers incorporated
policy and decisions giving rise to the confidentiality rules with computer technology. Similarly,
a hospital privacy policy should marry legal rules and regulations with technological know-how.
Medical standards of care are not part of this mix.


                                               -4-
Notably, the regulations contemplate that a hospital must protect against “reasonably anticipated
threats” to the security of electronically stored health care information. HIPAA permits covered
hospitals some leeway in designing their policies:

       (b) Flexibility of approach.

       (1) Covered entities and business associates may use any security measures that
       allow the covered entity or business associate to reasonably and appropriately
       implement the standards and implementation specifications as specified in this
       subpart.

       (2) In deciding which security measures to use, a covered entity or business
       associate must take into account the following factors:

       (i) The size, complexity, and capabilities of the covered entity or business
       associate.

       (ii) The covered entity's or the business associate's technical infrastructure,
       hardware, and software security capabilities.

       (iii) The costs of security measures.

       (iv) The probability and criticality of potential risks to electronic protected health
       information. 45 C.F.R. § 164.306.

I find nothing in these criteria related to the intricacies of medical practice or the exercise of
medical judgment. Indeed, Hospital patients are informed when they consent to treatment that
the Hospital’s privacy policy attaches to their healthcare information, that “[a]ll Bronson
affiliated providers . . . are required by law to maintain the privacy of [patients’] health
information,” and that their information may only be provided to others to facilitate treatment or
to pay insurance claims. Drawing on their common knowledge and experience, lay people
readily understand these uncomplicated statements. Kratzer alleges that gaps in the Hospital’s
privacy policies permitted an unprivileged interloper to easily access confidential information.
Unlike the majority, I believe that the resolution of this claim likely requires input from
computer experts, lawyers, and/or hospital administrators. However, jurors have no need of
expert testimony concerning standards of medical care to determine whether the Hospital’s
privacy policies adequately protected patients such as Kratzer. Indeed, the majority’s failure to
identify what medical specialist must sign the relevant affidavit of merit under MCL 600.2169(1)
reveals the inadequacies of the majority’s analysis.

       I would agree with the majority’s observation that determining who has a need to view
any given patient’s medical information at any given time may entail some degree of medical
judgment, if that necessity was assessed within the context of actual medical care or treatment.
In context, however, that is a straw man argument. There is absolutely no dispute here that Wark
had no need to view plaintiff’s information and was in no way involved in plaintiff’s care or
treatment. The gravamen of plaintiff’s complaint is not an assertion that the Hospital should
have selected a different constellation of individuals who should have been authorized to view
her medical information, but rather that the Hospital failed to ensure that those who were

                                                -5-
actually not authorized had no access. Indeed, five out of the seven duties plaintiff asserts were
breached explicitly refer to access which was unauthorized, not merely inappropriate. The other
two assert that the Hospital failed to limit disclosures to those who needed the information,
which, again, Wark undisputedly did not.

        Had Wark actually been involved in any way in plaintiff’s care or treatment, and had
plaintiff asserted that Wark was but should not have been authorized to view her records, the
majority’s logic would be entirely appropriate. It is obviously a matter of medical judgment
whether an actual provider of care or treatment needs to know any particular information about a
patient. However, there is no medical judgment necessary to determine that medical records are
private. Likewise, there is no medical judgment necessary to know that someone totally
uninvolved with a given patient does not need to know anything about that patient, at least until
such time as they become involved. By way of an analogy, a clerk hired by a lawyer has no need
to pry into confidential client files being kept by another lawyer down the hall, and there is no
particular legal training necessary to draw that conclusion. The concepts of privacy and the
failure to maintain it are certainly “within the common knowledge and experience” of jurors.

        The determination of what a care or treatment provider needs to know about a patient
may be medical, but the implementation of excluding all others from access is simply
administrative. Expert testimony may be required, but in this day and age the expert is more
likely to be a computer expert, records auditor, or even a lawyer. The majority concludes that
whether the Hospital failed to follow its own procedures requires no medical testimony; I agree,
however by the same logic, whether those procedures were effective at accomplishing their
purported goals also requires no medical testimony. It likewise requires no medical judgment to
act on an advance warning of a known threat or to implement a training program in either
privacy concepts in general or whatever access control system the Hospital has in place—or,
indeed, whether to have training or an access control system at all.

        The majority complains that it “cannot fathom how the Hospital – or any hospital—could
formulate a privacy policy without substantial, direct input from doctors, nurses and medical
staff.” Neither can I. But inviting “substantial, direct input” from medical professionals is a far
cry from constructing a medical confidentiality policy predicated on medical standards of care.
The medical record confidentiality standard of care is in the first instance dictated by the Health
Insurance Portability and Accountability Act, and in the second instance by technological and
practical considerations. Standards of care flowing from approaches to patient treatment simply
have no bearing on the central principle animating confidentiality policies – a patient has a right
to keep her private medical information private. Despite the majority’s insistence that “the
standard of care pertaining to medical issues” must inform a confidentiality policy, the majority
has not provided even a single example of why this must be so. Nor has the majority elucidated
how the steps involved in developing a confidentiality policy meeting legal requirements would
fall outside the common understanding of lay jurors. Perhaps most tellingly, the majority offers
no explanation of how a plethora of medical standards of care, involving judgments from
anesthesia choices to x-ray protocols, could, should, or ever actually have factored into a single
hospital privacy policy.




                                               -6-
        I would hold that none of plaintiff’s claims, at least as they are presented in this matter,
raise issues of medical judgment. To the extent the trial court denied summary disposition on the
basis that the case does not sound in medical malpractice, I would affirm.



                                                             /s/ Amy Ronayne Krause




                                                -7-
