The Connecticut Supreme Court reinforced an earlier ruling on Health Insurance Portability and Accountability Act (HIPAA) privacy as a standard of care in a second opinion in Byrne v. Avery Center for Obstetrics and Gynecology PC, SC 19873 (Conn., Jan. 16, 2018).
This time, finding that the state did recognize a common-law tort for violating the physician-patient privilege, the court cited a failure to follow HIPAA’s subpoena response procedures as a key factor in allowing the patient’s negligence lawsuit to proceed to trial.
“Lucy,” a patient at the Avery Center for Obstetrics and Gynecology, instructed the center not to release her records to her ex-boyfriend “Charlie.” Later, however, when Charlie subpoenaed Lucy’s records from the center as part of a paternity lawsuit, the provider allegedly mailed a copy of her medical file to the court where that suit had been filed, without contesting the subpoena or notifying her. Charlie then saw this information in the court records and subjected Lucy to “harassment and extortion threats,” she alleged.
Lucy sued the Avery Center, claiming among other things that the facility had acted negligently by failing to protect her medical file as required by HIPAA and Connecticut law. The trial court dismissed these claims on the basis that the state-law claims were preempted by HIPAA, which in turn did not create a private right of action.
The state Supreme Court disagreed, finding that while HIPAA created no private right to sue, the privacy rule could be used as a standard of care in a negligence lawsuit.
“The regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records,” Justice Flemming Norcott wrote for a unanimous court in Byrne v. Avery Center for Obstetrics and Gynecology PC, 102 A.3d 32 (Conn. 2014). “To the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be used to inform the standard of care applicable to such claims.”
The high court therefore remanded the case to the trial court for further proceedings. On remand, the trial court granted the Avery Center summary judgment on the negligence claims, arguing that Connecticut courts had not recognized a common-law privilege for physician-patient communications. Lucy again appealed, contending that there was such a duty of confidentiality and it extended to compliance with a subpoena. She cited HIPAA and the state’s evidentiary physician-patient privilege statute (§52-146o) as evidence of “public policy considerations” supporting such a duty.
“The dispositive issue in this appeal is whether a patient has a civil remedy against a physician if that physician, without the patient’s consent, discloses confidential information obtained in the course of the physician-patient relationship,” Justice Dennis Eveleigh wrote in the court’s opinion. “We conclude that recognizing a cause of action for the breach of the duty of confidentiality in the physician-patient relationship by the disclosure of medical information is not barred by §52-146o or HIPAA and that public policy, as viewed in a majority of other jurisdictions that have addressed the issue, supports that recognition.”
In support of this view, the court noted that other jurisdictions have continued to recognize a cause of action for breach of confidentiality since HIPAA’s enactment, on the view that such state-law claims complement HIPAA by enhancing the penalties for violations, the court.
Therefore, a healthcare provider’s unauthorized disclosure of confidential information obtained in treating a patient gives rise to a tort cause of action against the provider, unless the disclosure is otherwise allowed by law, the court ruled.
The Avery Center argued that, even if such a cause of action were recognized, it could not apply in this case because Lucy’s records were disclosed in response to a subpoena and Section 52-146o does not bar such a disclosure. According to the court, however, while the statute allows disclosures without consent “pursuant to any statute or regulation of any state agency or the rules of court,” a subpoena without a court order does not fall into this category.
Moreover, citing its prior ruling that HIPAA’s procedures may inform the standard of care, the court noted the detailed process HIPAA prescribes for disclosing protected health information in response to a subpoena. The Avery Center’s “own admissions establish that it did not comply with this regulation when it responded to the subpoena in the present case,” Eveleigh wrote.
Finding a genuine factual issue regarding whether the Avery Center met its duty of confidentiality, the court once again reversed and remanded the trial court’s decision.
This case should remind plan sponsors of the need to comply with HIPAA when responding to a subpoena. When a covered entity receives a subpoena, discovery request, or other lawful process not accompanied by an order, it may disclose private health information (PHI) only if it receives “satisfactory assurance” (see below) from the party seeking the information that it has made “reasonable efforts” to:
- Ensure that the individual who is the subject of the requested PHI has been notified of the request; or
- Secure a qualified protective order that meets the privacy rules’ requirements.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic.