It has long been established that there was no private right of action with regard to HIPAA. All providers must be aware that state courts are beginning to turn the tide regarding such liability. On November 11, 2014, the Supreme Court of Connecticut ruled that HIPAA does not preempt a plaintiff's state law cause of action from negligence or negligent infliction of emotional distress against a health care provider who breached its duty of confidentiality in the course of complying with a subpoena. While a provider still would not be directly liable to an individual for a claim of failing to meet HIPAA, providers are now open to certain state law actions and liability.
In Byrne v. Avery Center for Obstetrics and Gynecology, PC, the defendant health care provider provided the plaintiff with gynecological and obstetrical care and treatment. The health care provider gave its patients, including the plaintiff, a Notice of Privacy Policies regarding their protected health information and agreed, based on that policy and the law, that it would not disclose the plaintiff's health information without her authorization.
In May 2004, the plaintiff began a personal relationship with Andro Mendoza which lasted until September 2004. In October 2004, she instructed the defendant not to release her medical records to Mendoza. In May 2005, Mendoza filed paternity actions against the plaintiff. The defendant was served with a subpoena requesting the plaintiff's medical records. The defendant did not alert the plaintiff to the subpoena, file a motion to quash or appear in court; rather, it mailed a copy of the plaintiff's medical file to the court. The plaintiff alleged that she suffered harassment and extortion threats from Mendoza since he viewed her medical records.
In filing suit against the health care provider, the plaintiff claims that it (1) breached its contract with her when it violated its privacy policy by disclosing her protected health information without authorization; (2) acted negligently by failing to use proper and reasonable care of protecting her medical file; (3) made a negligent misrepresentation that her medical file and the privacy of her health information would be protected in accordance with law; and (4) engaged in conduct constituting negligent infliction of emotional distress.
The trial court dismissed the plaintiff's negligence claims, finding that HIPAA preempts any action dealing with confidentiality or privacy of medical information. The patient appealed, arguing that she was not asserting a claim for relief premise solely on a violation of HIPAA but rather that she was asserting common law negligence actions with HIPAA forming the standard of care. The Connecticut Supreme Court agreed with the patient, finding that HIPAA does not preempt causes of action when they exist as a matter of state common or statutory law arising from a health care provider's breach of patient confidentiality.
This case should serve as a reminder to covered entities and their business associates that while there is not a private right of action under HIPAA, HIPAA's privacy standards may serve as a standard of care for state law negligence claims. Moreover, given the fact that a state's highest court has recently addressed the issue and ruled in favor of a plaintiff on the issue, it is anticipated that similar suits against covered entities and their business associates will follow. All providers should also revisit their policies and procedures regarding the release of records and ensure they have protocols in place for subpoenas, court orders and other less common third party requests for information.
If your business needs help with its privacy or data security procedures and practices, or if you have questions about this Alert or any other federal or state privacy laws, please contact your Baker Donelson attorney.