This month, the Connecticut Supreme Court in Byrne v. Avery Center for Obstetrics and Gynecology, P.C. held that a patient’s state law negligence claim against a health care provider for the unauthorized disclosure of the patient’s medical records was not preempted by the Health Insurance Portability and Accountability Act (HIPAA). In fact, the court held that in some circumstances the HIPAA Privacy Rule can be used to set the standard of care in a negligence action.
In the Byrne case, patient Emily Byrne sued the medical practice from which she received gynecological and obstetrical services (Avery Center for Obstetrics and Gynecology, P.C.) for the unauthorized disclosure of her medical records. Ms. Byrne specifically instructed the medical practice not to release her medical records to Andro Mendoza, a gentleman with whom she had a romantic relationship. After the relationship ended, Mr. Mendoza filed paternity suits against Ms. Byrne. In connection with Mr. Mendoza’s paternity suits, the medical practice was served with a subpoena requesting Ms. Byrne’s medical records. In accordance with the terms of the subpoena, the medical practice mailed a copy of Ms. Byrne’s medical records to the court. Thereafter, Mr. Mendoza informed Ms. Byrne that he reviewed her medical records. Ms. Byrne alleged that she suffered harassment and extortion threats from Mr. Mendoza since he viewed her medical records.
Ms. Byrne subsequently filed a lawsuit against the medical practice. The Connecticut trial court dismissed Ms. Byrne’s claims that the medical practice (1) acted negligently by failing to use proper and reasonable care in protecting her medical file, and (2) engaged in conduct constituting negligent infliction of emotional distress. The trial court agreed with the medical practice’s contention that HIPAA preempts any action dealing with confidentiality/privacy of medical information. Ms. Byrne appealed the trial court’s decision.
On appeal, the Connecticut Supreme Court reversed the trial court’s decision and stated “we agree with the plaintiff (Ms. Byrne) and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances” and “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
The Byrne decision adds Connecticut to a growing list of states where courts have held that HIPAA’s lack of a private right of action does not necessarily foreclose state law action, and that HIPAA regulations can establish the standard of care for state law negligence actions against health care providers. The use of HIPAA regulations as standards for causes of action under state law is expected to increase in light of the Byrne decision.
This case serves as another reminder for HIPAA covered entities, business associates and subcontractors to use best practices in protecting patient health information. Failure to do so may open the door to potential liability for claims asserted by an expanding range of potential enforcers, including governmental agencies such as the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services, the Federal Trade Commission (FTC), state attorneys general, class action plaintiffs’ attorneys and individual patients. Upcoming audits by OCR can also present potential risks even in the absence of a breach.
Click here to read the Connecticut Supreme Court’s decision.