Image of male nurse pushing senior woman in a wheelchair in nursing facility

Long-term care providers may not be on the hook when workers improperly share resident data for purely personal reasons, suggests a recent legal ruling.

The case involved a man identified as John Doe, who received treatment for a sexually transmitted disease at Guthrie Clinic Steuben in Corning, New York, in 2010. A nurse at the clinic recognized the man as her sister-in-law’s boyfriend, and sent her sister-in-law confidential information from his medical records, according to court documents.

When the man discovered that his information had been shared, he sued the clinic for breach of confidentiality.

A New York appeals court found against Doe, and the U.S. Court of Appeals for the Second Circuit upheld that decision in a ruling issued Monday. In order for the clinic itself to be liable, the nurse’s actions must have been “reasonably foreseeable” and the breach must have occurred “within the scope of employment,” the courts determined.

Actions taken by people to fulfill or carry out the duties of their jobs are considered to fall under the “scope of employment.”

“There is no dispute that the employee responsible for disclosing Doe’s confidential medical information acted outside the scope of her employment,” the federal judges wrote in their dismissal.

The nurse who shared the man’s medical information did lose her job, according to the Bureau of National Affairs.