American Journal of Law & Medicine

Cyber-malpractice: legal exposure for cybermedicine.


This Article examines the content-related liability exposure of health care providers operating in cyberspace (cybermedicine).([double dagger]) The Article maps real space theories(1) of liability such as professional negligence, misrepresentation and products liability to cybermedicine fact patterns.

This Article examines cybermedicine in contrast to the more widely discussed but narrower issue of telemedicine.(2) The latter typically refers to technologies, primarily preconvergence telephony, satellite and video, used to patch geographical holes in health coverage.(3) Thus, telemedicine is to medicine what distance learning is to education.(4) Just as telemedicine technologies and goals have been more limited, so too have the legal issues been analyzed in a narrower regulatory(5) or licensure(6) issues.(7) In contrast, cybermedicine is a broader concept. It encompasses not only the technology and legal issues of telemedicine, but also a far greater array of nontraditional and unique, technology-enabled interactions among health care providers and consumer-patients.(8) Cybermedicine includes marketing, relationship creation, advice, prescribing and selling drugs and devices, and as with all things in cyberspace, levels of interactivity as yet unknown.(9)

Part II summarizes the themes likely to pervade the discourse during the emergence of cybermedicine and the mapping of liability models (cyber-malpractice) to World Wide Web (web) business models. To provide a firmer context, Part III briefly describes the presence of health care providers in cyberspace, and explains how some of their business models translate into cybermedicine. Then Part IV, V and VI identify three cybermedicine fact patterns that illustrate some or all of the themes identified earlier and that are likely to attract the initial forays into cyber-malpractice litigation. These fact patterns are: (1) web marketing by health care institutions; (2) web-based marketing and product support by pharmaceutical manufacturers; and (3) the proliferation of health-oriented advice sites. Part VII concludes with some brief observations about early attempts at managing cyber-malpractice exposure.


The use of a telephone by a physician to communicate a misdiagnosis to a patient does not automatically implicate telecommunications law. Equally, not every web or electronic mail (e-mail)(10) contact injects cyberlaw concerns or issues into health care provider liability cases. Thus, not every cyberspace intrusion into traditional malpractice law will prompt radical reengineering of doctrinal stalwarts. However, certain themes will greet the early litigious stages of developing cybermedicine; themes that are rooted in web business models and emerging provider liability doctrine.


This Article uses health care provider liability as a broad container for liability constructs that go beyond the paradigmatic malpractice case.(11) Horizontally, the potential pool of defendants is expanded to include managed care organizations (MCOs) and, somewhat more controversially, pharmaceutical manufacturers. Vertically, a far broader array of fact patterns is entertained, contemplating a growing number of "information torts,"(12) duties owed to nonpatients, product supply cases and access to care issues.

A somewhat cliched cyberspace observation nevertheless provides an appropriate starting point.(13) Cybermedicine and hence cyber-malpractice will spill over traditional state or national borders. Thus, relatively provincial health care provider liability doctrinal structures will confront overlapping regulatory and liability systems.(14) In intermingled with very difficult jurisdictional and extraterritoriality issues.(15)

Even if one concentrates on domestic intrastate provider activities, the implications of cyberspace are far-reaching. In real space, we can usually distinguish between a pharmacy and a pharmaceutical manufacturer, between a physician group and an MCO, but such distinctions are not always so obvious when viewing a health care provider web page. Cyberspace technology and business models encourage high levels of integration. For example, surf to CyberPharmacy,(16) apparently a CyberDocs(17) sister site, and you will find the following encouragement:

   If you are seeking an online consultation with a physician for medical 
   purposes, you may wish to check the CyberDocs Web site, where, depending on 
   your geographic origin, you may be able to obtain an immediate (24hr/7day) 
   or appointment-based keyboard and/or videoconferencing consultation with a 
   live, board-certified physician.(18) 

Even discrete corporate entities appear integrated, due to the increasingly seamless transitions from one site to another along carefully chosen links. Factor in banner advertisements that may be placed by site participants, sponsors, cross-marketers or generic advertisers, and often it is difficult to fathom the nature of a visited site.

Further, courts will be faced with many new liability scenarios as the virtual world permits interactions simply not possible in real space. When such cases emerge, lawyers naturally engage in a process of mapping, or analogizing, from real space to these novel virtual space cases.(19) Thus, courts faced with health care provider liability actions premised on acts or omissions in cyberspace will be working from a strong, mature base of applicable and already expanding doctrine.


The most challenging real world health care provider liability actions involve information torts. These actions, such as informed consent and failure to warn, examine the relative information costs incurred by providers and patients rather than providers' insensitive interpersonal acts or substandard quality of care.(20) In virtual space, all torts are information torts,(21) and information has very different costs in cyberspace.(22) The costs of access to information are dramatically decreased because it is cheaper both to give advice and to receive it.(23) As has been noted, "[t]he Web is the ultimate subversive medium. It allows people information they couldn't have got before. Doctors will just have to get used to patients with information."(24)

As the web dramatically increases the occasions for information provision and exchange, the result will be an explosion of health care provider actions that are concerned primarily with ex post facto judgment of the quality of information flow between provider and patient. Courts have thus far been hesitant to impose liability in cases where inadequate information has not been directly linked to consent.(25) Such positions are likely to come under increasing attack. These information tort cases will not be easy. As the web decreases many traditional information costs, it dramatically increases others. For example, the huge amount of information available increases sorting costs incurred by the consumer-patient.(26) Further, even leaving aside cases of fraud, electronic delivery complicates authenticating the source and assessing the reliability of information.(27) Overall, the courts will be seriously challenged in creating mechanisms that properly allocate information cost risks between providers and patients.

Finally, it should not be forgotten that the web will dramatically decrease patient information costs, and later transaction costs, in discovering the existence of tortious provider behavior. Patients suffering adverse results will be more likely to discover a possible provider-related cause and initiate a process that will lead to litigation.


Health care providers and drug manufacturers have discovered direct-to-consumer (DTC) or consumer-oriented marketing.(28) Providers have used the web because it has become a major force in corporate marketing strategies.(29) Yet, this embrace of mass media and interactive marketing has some interesting legal costs.

This theme may best be illustrated by two concrete examples that are expanded on below. First, the development of institutional provider (hospital or MCO) liability in the real world has been slowed by decades of decisions tending to favor an individual health care provider, typically physician, liability paradigm.(30) In more recent years, some doctrinal rubble has been cleared. What has emerged is a picture of institutional provider liability that most often is triggered by institutional actions or expectation-creating marketing plans that deemphasize the individual physician paradigm in favor of an aggregated, tightly integrated and industrialized model.(31) This picture seems to map perfectly the business models chosen by health care institutions in cyberspace.(32)

Second, drug manufacturers have employed the learned intermediary doctrine(33) to insulate themselves from certain product liability warning duties.(34) That doctrine, ostensibly in place to fulfill a warning function, has permitted pharmaceutical manufacturers to transfer some drug-risk information costs to physicians and patients.(35) Yet, the entire doctrine is premised on an extremely low level of contact and interaction between manufacturer and patient.(36) This is a premise that cannot withstand the empirical evidence of manufacturer web marketing.(37) Both of these scenarios are examples of how institutions and manufacturers are increasing their real world vulnerability because of their virtual space activities. This is a theme or trend that is likely to flow beyond these immediate examples and initiate new forms of representational liability.


Courts dealing with ex post facto liability models have tended to be negative toward liability theories with fact patterns involving injury-causing phenomena that exhibit low transaction costs.(38) This is particularly true in cases involving mass media exposure,(39) where liability is posited on the transmission of ideas rather than acts or omissions, or where the plaintiff relies on theories such as misrepresentation.(40) Similar issues appear in the case of certain types of damages, such as emotional and economic, that tend to have ripple effects.(41) All cases seem to contemplate a relatively anonymous, untargeted and undifferentiated plaintiff pool.(42)

Such judicial hesitance is rooted in the sentiment that exposure to such forms of liability or damages should be closely controlled lest the courts become clogged.(43) A frequent surrogate for this concern is the floodgates of litigation argument,(44) a statement of systemic concern perhaps best expressed by Justice Cardozo. He cautioned against exposing defendants to "liability in an indeterminate amount for an indeterminate time to an indeterminate class."(45) These sentiments also reflect a concern for the system, i.e. costs or inefficiencies that could be incurred when losses that are spread out are harvested for reallocation.(46) Such pervasive themes or concerns frequently find doctrinal voice in judicial wavering as to finding a close connection between defendant's alleged negligence and the plaintiffs' injuries or some sense of a lack of moral blameworthiness.(47)

Modern electronic commerce (e-commerce) and its enabling technologies break from the underlying precept on which defense victories in these cases are based. Obviously in cyberspace companies can have generalized mass marketing and announcements. Companies can literally reach an indeterminate class. It is already established as a tenet of cyberspace law that websites carry the potential for almost unlimited noncorporeal interaction.(48) The product of such interaction and the gathering of user information allows a high level of profiling and item targeting, of sensitivity to the extremely narrow, personalized needs, wants, symptoms and conditions of the targeted person.(49)

Thus, cybermedicine will suffer from what might be viewed as the penalty of personalization. Interactivity brings targeting, and targeting bespeaks foreseeability. From the perspective of the health care provider's database, the potential plaintiffs are not undifferentiated, the drug-interactions are not unidentified and the symptoms or individuated risks are not unknown. In short, Cardozo's "indeterminate class" is no longer an anonymous undifferentiated one.


The Internet (and, in its footsteps, the web) originated as a communications medium,(50) mixing in scientific, educational and alternative cultures, to become a nascent community medium. Currently the web, fueled by rapidly evolving technological innovations, is in the process of evolving into a mass medium dominated by characteristics adapted from entertainment, marketing and retailing cultures and media. These tendencies will be confirmed and then accelerated by the growth of broadband access,(51) the adoption of Internet protocol(52) as the universal transport for all data, including telephony and video, and the convergence of web and existing media.

Business models for the web(53) have been difficult to define and implement, in part because enthusiastic early adopters of this content-rich environment have steadfastly refused to pay for pure data or information, often referred to as soft, web-based content.(54) In contrast, consumers have shown themselves increasingly willing to purchase some hard goods from the web. Established or bricks and mortar retailers(55) are engaged in a brutal struggle with web upstarts,(56) particularly in areas of easily shipped goods, such as books, videos and compact discs (CDs). Outside of web retailing of traditional hard goods (e.g., books or CDs) business models seem less focused. Entrepreneurial activity (including preparing the business for an initial public offering (IPO)) is frequently frantic, even schizophrenic, dominated more by branding, presence and cross-marketing than by real space business fundamentals such as revenue streams.(57)

Media companies generally seem to be concentrating on content leveraging and brand management.(58) Meanwhile, businesses that provide services that are not, or were not, consumer facing have embarked on ambitious web-based marketing plans and the adoption of the latest targeting and personalization technologies.(59) The recognized verity for web-based business models in thick markets is that the web-presence should be sticky; that is, a website should capture the loyalty of surfers so that they return or designate the site as their home page, the marketer's ideal.(60) For a site to be sticky, it must comply with the contemporary web marketers' mantra of content, community and commerce.(61) Clearly, health care providers are subscribing to this approach, looking first at content and communities to make their sites sticky, no doubt in preparation for more explicitly commercial activities.

In the first few years of its existence, the web's most innovative business model has been the portal.(62) There are two portal models. The first and most obvious model, and that chased by major media and computer businesses, revolves around the provision by the portal site of a free service to web surfers, such as a search engine(63) or e-mail.(64) Such portals then sell their own products, third-party products and third-party advertising.(65) The second type of portal model has community elements, concentrating on particular web population subsets; they are known as vertical portals.(66) Obviously this model has considerable relevance to established real space vertical markets such as law(67) or health care.(68)

Although drug companies and MCOs clearly seek a portal presence, they are also struggling with the targeting of their sites. Overall, provider websites fit within one of two broad models: those directed at other professional or commercial members of the vertical health market and those directed at consumer-patients. The web already has more than 1500 listings for medical equipment,(69) over 400 listings for medical suppliers, such as gloves, dental products, surgical instruments(70) and more than 4600 listings for medicine, generally specialties and subspecialties aimed at professionals.(71) Of the sites that are more obviously aimed at consumer-patients, the web has over 1000 listings for U.S. hospitals and medical centers,(72) and more than seventy listings for managed care providers.(73) Surfers will also find over 1100 listings for pharmaceuticals, including manufacturers,(74) pharmacies and organizations seeking volunteers for clinical trials.(75)

Somewhat more difficult to classify are the more than 5000 listings for individual diseases and conditions,(76) and the more than 400 listings on specific drugs.(77) Take just the obvious example of Viagra sites listed by Yahoo!(78) Of the sites, one is the official Viagra site(79) run by the manufacturer Pfizer, Inc. In addition, however, you will find the apparently commercial Viagra Resource Site(80) that offers Viagra information and links to what appear to be online doctors and pharmacies. The Yahoo! link also takes you to Viagra Talk,(81) which is hosted by a physician who is also a broadcaster and an author.

Taking into account the various cyber-malpractice themes that will lead the debate and the large number of provider liability business models, this Article now concentrates on three emergent tendencies in cybermedicine to illustrate these liability themes. As noted earlier, these trends are web-based marketing by health care institutions, particularly hospitals and MCOs, web-based marketing and product support by pharmaceutical manufacturers, and the proliferation of health-oriented advice sites. Throughout this Article, the concentration is on relative threshold issues such as whether a plaintiff's claim would survive a motion to dismiss or summary judgment, leaving more granular issues such as the content of the duty of care for later analysis.


In recent years, a much clearer picture of real space institutional provider liability in malpractice cases has emerged.(82) However, some areas of the picture still remain opaque. For example, questions remain as to the extent of common law(83) or statutory(84) liability of MCOs with regard to the decision to approve or disapprove of particular medical treatments. In addition, the exact interface between institutional MCO liability and the Employee Retirement Income Security Act (ERISA) remains an area of difficulty.(85) However, what has become clear is that an institution's marketing now plays a significant role in determining the extent of its indirect institutional tort liability.(86)

There are an almost infinite number of web models available to shape an institutional health care providers' web presence. Extant examples include simple marketing and informational sites,(87) health maintenance organizations (HMOs) exhibiting considerable levels of integration,(88) fully integrated managed care systems(89) and vertical portals serving multiple constituencies.(90) Clearly health care institutions have discovered DTC or consumer-oriented marketing, which will have serious liability exposure implications.

As is well known, the two traditional routes for imposing legal responsibility on an institutional provider are indirect or vicarious liability and direct or corporate liability.(91) The latter is relatively uncontroversial in cases involving facilities, equipment and maintenance of premises.(92) However, the law is considerably less settled in cases involving core medical care services.(93) Questions remain both about the reach of duty issues, such as its applicability to informed consent and to certain types of plaintiffs,(94) and there is uncertainty about the liability trigger, whether it is review or supervision.(95)

Today, the vicarious liability game is played out using a number of theories: case-by-case ostensible agency;(96) agency-based on the right to control rather than actual control;(97) agency by estoppel;(98) apparent authority/agency;(99) and nondelegable duty.(100) Law professors, unlike their students, arguably would never have tired of this messy arsenal of case-by-case reallocation tools. However, the courts seem to have had enough. A growing number of courts have moved toward an enterprise liability model that, given its conceptual underpinnings, utilizes a wide-ranging representational theory, a theory driven by providers' chosen business models.

Kashishian v. Port(101) was the breakthrough case. In Kashishian, the plaintiff argued that a hospital should be liable for the alleged negligence of a nonemployee cardiologist,(102) The plaintiff's doctrinal route was apparent agency, which, as has been noted, is frequently used as a basis for institutional liability,(103) Kashishian expanded liability beyond narrow fact patterns, such as emergency rooms or radiology departments and stressed the marketing endeavors of the institutional defendant as key, stating:

   Cases and commentaries on the doctrine invariably point to the recognition 
   that hospitals increasingly hold themselves out to the public in expensive 
   advertising campaigns as offering and rendering quality health care 
   services. One need only pick up a daily newspaper to see full and half page 
   advertisements extolling the medical virtues of an individual hospital and 
   the quality health care that the hospital is prepared to deliver in any 
   number of medical areas. Modern hospitals have spent billions of dollars 
   marketing themselves, nurturing the image with the consuming public that 
   they are full-care modern health facilities. All of these expenditures have 
   but one purpose: to persuade those in need of medical services to obtain 
   those services at a specific hospital. In essence, hospitals have become 
   big business, competing with each other for health care dollars. As the 
   role of the modern hospital has evolved, and as the image of the modern 
   hospital has evolved (much of it self-induced), so too has the law with 
   respect to the hospital's responsibility and liability towards those it 
   successfully beckons. Hospitals not only employ physicians, surgeons, 
   nurses, and other health care workers, they also appoint physicians and 
   surgeons to their hospital staffs as independent contractors. What is the 
   responsibility of hospitals when these independent contractors render 
   negligent health care? Can they escape liability for the rendering of 
   negligent health care in all instances simply because the person rendering 
   the care was an independent contractor, regardless of how hospitals held 
   themselves out to the consuming public, regardless of how the doctor 
   rendering the health care held himself or herself out to the consuming 
   public, and regardless of the perception created in the mind of the 
   consuming public? We think not.(104) 

In Sword v. NKC Hospitals, Inc.,(105) the plaintiffs sought to use apparent agency theory to hold an institution liable for the alleged negligence of a nonemployee anesthesiologist.(106) The court refused to enter the morass of traditional apparent agency case law or navigate the intricacies of either ostensible agency(107) or agency by estoppel.(108) Instead, it showed a preference for a sui generis theory, as follows:

   For a hospital to be held liable for the negligence of a health care 
   professional under the doctrine of apparent agency, a plaintiff must show 
   that the hospital acted or communicated directly or indirectly to a patient 
   in such a manner that would lead a reasonable person to conclude that the 
   health care professional who was alleged to be negligent was an employee or 
   agent of the hospital, and that the plaintiff justifiably acted in reliance 
   upon the conduct of the hospital, consistent with ordinary care and 

Applying that test, the Sword court reversed the defendant's summary judgment holding in favor of the defendant, because of evidence drawn exclusively from the defendant's external marketing, including brochures and comparative advertising. …

Log in to your account to read this article – and millions more.