OPINION OF THE COURT
Pigott, J.The United States Court of Appeals for the Second Circuit has certified the following question for our consideration: “Whether, under New York law, the common law right of action for breach of the fiduciary duty of confidentiality for the unauthorized disclosure of medical information may run directly against medical corporations, even when the employee responsible for the breach is not a physician and acts outside the scope of her employment?” We answer the question in the negative.
On July 1, 2010, “John Doe” was being treated for a sexually transmitted disease (STD) at the Guthrie Clinic Steuben, a private medical facility. A nurse employed by the Clinic recognized Doe as the boyfriend of her sister-in-law. The nurse accessed Doe’s medical records and learned that he was being treated for the STD. While Doe was still awaiting treatment, she sent text messages to her sister-in-law informing her of *483Doe’s condition. The sister-in-law immediately forwarded the messages to Doe; according to Doe, the messages suggested that staff members were making fun of his medical condition.
Five days after his visit to the Clinic, Doe called to complain of the nurse’s behavior. He met with an administrator of the Clinic, and the nurse was fired. Thereafter, the President and CEO of Guthrie Clinic, Ltd. sent a letter to Doe confirming that there had been an unauthorized disclosure of Doe’s confidential health information, that appropriate disciplinary actions had been carried out, and that steps had been taken to prevent such a breach from occurring in the future.
Doe subsequently filed this action in federal court against defendants, various affiliated entities that allegedly “owned, possessed, operated, staffed and/or otherwise controlled” the clinic. In his complaint, Doe asserted eight causes of action: (1) common-law breach of fiduciary duty to maintain the confidentiality of personal health information, (2) breach of contract, (3) negligent hiring, training, retention and/or supervision of employees, (4) negligent infliction of emotional distress, (5) intentional infliction of emotional distress, (6) breach of duty to maintain the confidentiality of personal health information under CPLR 4504, (7) breach of duty to maintain the confidentiality of personal health information under Public Health Law § 4410, and (8) breach of duty to maintain the confidentiality of personal health information under Public Health Law § 2803-c.
The United States District Court for the Western District of New York granted the defendants’ motion to dismiss all eight claims (2012 WL 531026, 2012 US Dist LEXIS 20507 [US Dist Ct, WD NY Feb. 17, 2012]).
Doe appealed the dismissal of the first five of the eight causes of action. The United States Court of Appeals for the Second Circuit affirmed the dismissal of four of the remaining five causes of action, reserving decision on his claim of breach of fiduciary duty, which is the only subject of this certified question (519 Fed Appx 719 [2d Cir 2013]).
In a separate opinion (710 F3d 492 [2d Cir 2013]), the Second Circuit found that the nurse’s actions were not foreseeable to defendants, nor were her actions taken within the scope of her employment (id. at 495). The court explained that in his complaint Doe himself alleged that the nurse was motivated by purely personal reasons and “[t]hose reasons had ‘nothing to do with [Doe’s] treatment and care’ ” (id. at 495-496, citing Doe *484complaint at ¶ 25). “As such,” the court held, the nurse’s “actions cannot be imputed to the defendants on the basis of respondeat superior” (id. at 496). The court certified the question to this Court, however, whether Doe may assert a specific and legally distinct cause of action against defendant for breach of the fiduciary duty of confidentiality, even when respondeat superior liability is absent (id. at 498).
Generally, a hospital or medical corporation may be held vicariously liable for the wrongful acts of its employees (see e.g. Hill v St. Clare’s Hosp., 67 NY2d 72, 79 [1986]). However, “[u]nder the doctrine of respondeat superior, an employer may be vicariously liable for the tortious acts of its employees only if those acts were committed in furtherance of the employer’s business and within the scope of employment” (N.X. v Cabrini Med. Ctr., 97 NY2d 247, 251 [2002]). Thus, a medical corporation is generally not liable for a tort of an employee when such an action is not within the scope of employment.
We have, in other circumstances, declined to hold a medical corporation to a “heightened duty” for an employee’s misconduct. For instance, in N.X. v Cabrini Med. Ctr., where a physician employed by the defendant hospital committed a sexual assault on a sedated patient, this Court rejected the attempt to hold the hospital strictly liable. We declined to recognize a heightened duty on the part of the hospital, explaining:
“A hospital has a duty to safeguard the welfare of its patients, even from harm inflicted by third persons, measured by the capacity of the patient to provide for his or her own safety .... This sliding scale of duty is limited, however; it does not render a hospital an insurer of patient safety or require it to keep each patient under constant surveillance .... As with any liability in tort, the scope of a hospital’s duty is circumscribed by those risks which are reasonably foreseeable” (id. at 252-253).
Since the sexual assault committed by the hospital employee was “not in furtherance of hospital business” and was “a clear departure from the scope of employment, having been committed for wholly personal motives” (id. at 251), we concluded that the hospital could not be held vicariously liable.
Here, Doe urges us to impose absolute liability on the medical corporation for an employee’s dissemination of a patient’s confidential medical information. We decline to do so, *485and, to the extent that this rationale may have been employed in Doe v Community Health Plan—Kaiser Corp. (268 AD2d 183 [3d Dept 2000]), we reject that decision. For the same reasons stated in Cabrini, a medical corporation’s duty of safekeeping a patient’s confidential medical information is limited to those risks that are reasonably foreseeable and to actions within the scope of employment.
The dissent, in accepting Doe’s argument would impose strict liability on medical corporations for any disclosure by an employee, an approach that is unnecessary and against precedent.* In cases where an injured plaintiffs cause of action fails because the employee is acting outside the scope of employment, a direct cause of action against the medical corporation for its own conduct, be it negligent hiring, supervision or other negligence, may still be maintained (see Judith M. v Sisters of Charity Hosp., 93 NY2d 932, 934 [1999]). A medical corporation may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures. These potential claims provide the requisite incentive for medical providers to put in place appropriate safeguards to ensure protection of a patient’s confidential information. Those causes of action in the present case have already been resolved by the federal courts and we therefore do not address them.
Accordingly, the certified question should be answered in the negative.
Subjecting hospitals and other health care entities to strict liability for the acts of an employee that were not only unauthorized, but motivated entirely by personal reasons is contrary to well-established precedent (see N.X. v Cabrini Med. Ctr, 97 NY2d 247, 252-253 [2002]; Cornell v State of New York, 46 NY2d 1032 [1979]). While the dissent finds our holding too “narrow” (see dissenting op at 486), the dissent’s reasoning is flawed for the opposite reason; it is too broad. If the dissent’s view is taken to its logical conclusion, a medical provider may be held liable in negligence for any inadvertent disclosure by an employee. As an example, if a receptionist of a private physician discloses at a cocktail party that a patient was in to see the doctor for a particular ailment, perhaps unbeknownst to the patient’s family because he did not want to worry them, under the dissent’s rule, the medical corporation would be required to respond in damages for that disclosure.