Until recently, Connecticut health care providers who disclosed patient medical information in violation of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) were subject only to HIPAA's administrative penalties and possibly to claims of breach of patient-provider contracts. Suits based on HIPAA violations were thought to be "preempted" or precluded by HIPAA.
As of January 16, 2018, the official release date of the Connecticut Supreme Court's unanimous opinion in the case of Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C., Connecticut joins the growing number of states recognizing a private cause of action for breach of the duty of confidentiality in the physician-patient relationship by the disclosure of protected health information. The decision paves the way for increased litigation against health care providers and (possibly) other entities regulated by HIPAA.
Beware Careless Subpoena Compliance
The facts of the Byrne case serve as a warning that health care providers who receive subpoenas for medical records need to think twice about how to comply with such demands. In a paternity suit, the lawyer of Emily Byrne's ex-boyfriend subpoenaed her OBGYN records to the probate court. The Avery Center mailed a copy of Ms. Byrne's medical file to the court, without first receiving the assurances required by HIPAA that Ms. Byrne was aware of the subpoena. The ex-boyfriend obtained the records from the court and then allegedly used them to harass and extort Ms. Byrne and her extended family. Ms. Byrne sued the Avery Center for breach of contract and negligence. The trial court dismissed her negligence claims because neither the Connecticut Supreme Court nor the state legislature had recognized a private cause of action for breach of physician-patient confidentiality.
The Supreme Court reversed the trial court. According to the Court, allowing patients to bring such claims is consistent with public policy as expressed in state and federal law, including HIPAA, as well as court decisions in a growing number of states. The Court observed further that HIPAA privacy rules – to the extent that they are commonly followed by health care providers – may establish the standard of care by which liability for breach of medical privacy may be determined.
A Warning for Business Associates, Employers, and Others?
The language of the Byrne opinion (download here) ostensibly limits the new cause of action to the patient-physician relationship. The HIPAA medical privacy rules, however, are not so limited. They extend confidentiality requirements to a provider's vendors, or "business associates", as well as health plans and health data processors known as "health care clearinghouses". It remains to be seen whether Connecticut will expand the new medical privacy tort to permit similar suits against such entities. For now, providers and related businesses should review their privacy notices, policies, and procedures, as well their third-party contracts to safeguard against improper disclosure of personal health information; and consult with counsel prior to responding to a subpoena.
For more information on privacy and security issues, including HIPAA compliance, please contact:
Sherwin M. Yoder
(203) 784-3107; [email protected]
For information on medical professional liability and health care law, please contact:
Kristin C. Connors
(203) 578-4202; [email protected],com
(203) 575-2654; [email protected]
Ann H. Zucker
(203) 252-2652; [email protected]