In an opinion released on November 11, the Connecticut Supreme Court ruled on whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations preempt a common law claim for negligence arising from the disclosure of a patient’s medical records. Under HIPAA, no private cause of action is available to patients. However, the Connecticut court in Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 2014 Conn. LEXIS 386 (Conn. Nov. 1, 2014), refused to dismiss a patient plaintiff’s negligence claims on the basis of preemption, thus allowing plaintiffs to circumvent the ban on private causes of action. In addition to permitting the claims to proceed, the court noted that a finder of fact may consider HIPAA to be the applicable standard of care governing the handling of medical records.

In the Byrne case, the plaintiff instructed the defendant medical practice not to release her medical records to a man with whom she previously had a personal relationship (Mendoza). When the defendant was served with a subpoena for the plaintiff’s medical records in the context of a paternity suit, the defendant failed to comply with the instruction and supplied the records to the probate court. The defendant did not notify the plaintiff of the subpoena and did not file a motion to quash the subpoena or appear in court. The plaintiff was first notified of the disclosure when Mendoza informed the plaintiff that he had reviewed her medical records. The plaintiff subsequently filed suit, claiming she was the victim of harassment and extortion threats. In her complaint, she alleged, among other things, that (a) the defendant acted negligently in failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of both Connecticut statutory law (General Statute § 52-146o) and the regulations implementing HIPAA, and (b) the defendant engaged in conduct constituting negligent infliction of emotional distress.

The trial court dismissed both negligence claims on the basis of HIPAA preemption. In doing so, the court rejected the plaintiff’s assertion that HIPAA was not the basis of her causes of action but rather was evidence of the appropriate standard of care for her claims brought under state law. The trial court found that the claims were essentially claims for HIPAA violations and were therefore preempted under HIPAA’s no private cause of action clause.

Following its review of the case, the Connecticut Supreme Court assumed, but did not rule, that state common law would recognize a negligent cause of action arising from a health care provider’s breach of patient privacy when complying with subpoenas for medical records. The court then stated, “we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.” Byrne, 2014 Conn. LEXIS 386, at *27.

In its detailed analysis of the question of preemption, the court noted, “[c]onsistent with these principles, the regulatory history of . . . HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff's medical records.” Id. at *37. Following a review of decisions in other states, the court concluded that, if the state common law recognizes claims arising from a health care provider’s breach of its duty of confidentiality in complying with a subpoena, HIPAA (and its lack of a private right of action) would not preempt such claims. The court further found that that HIPAA may be utilized as the standard of care in applying common law negligence claims, stating:

We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena. The availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers' compliance with HIPAA. On the contrary, negligence claims in state courts support at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record. Accordingly, we conclude that the trial court improperly dismissed counts two and four of the plaintiff's complaint, sounding in negligence and negligent infliction of emotional distress.

Id. at **47–48 (internal quotations and citations omitted).

The Byrne case is an example of a state court ruling that HIPAA’s private cause of action prohibition does not preclude state common law or statutory law claims for unauthorized disclosure of medical records. While other states have refused to go as far as Connecticut and have dismissed common law and state statutory claims based on the fact that HIPAA does not provide a private cause of action,¹ Connecticut is now part of a growing number of courts to rule otherwise.² The stage is now set for future debate on this issue and future lawsuits by patients whose personal health information may have been disclosed. 

In light of the Byrne decision, health care providers, other HIPAA-covered entities, and business associates should note that their failure to comply with HIPAA could result in common law liability that is separate from possible administrative penalties and other enforcement action taken by the U.S. Department of Health and Human Services. To reduce this risk, health care providers should continue to review their HIPAA policies and procedures on an annual basis, train employees on HIPAA requirements, and require HIPAA releases prior to any disclosure of medical records.

Endnotes

1 See, e.g., Bonney v. Stephens Memorial Hospital, 2011 ME 46, p.20 (Me. 2011) (holding that because HIPAA does not provide a private cause of action, it cannot create a standard for violation of state common law); Young v. Carran, 289 S.W.3d 586, 588 (Ky. Ct. App. 2008) (“HIPAA does not create a state-based private cause of action for violations of its provisions”).

2 See, e.g., R. K. v. St. Mary’s Med. Ctr., Inc., 229 W. Va. 712, 718–21 (W. Va. 2012) (using HIPAA as standard of care for breach of medical confidentiality); Acosta v. Byrum, 180 N.C. App. 562, 568 (N.C. Ct. App. 2006) (acknowledging HIPPA as setting the standard of care); I.S. v. Washington Univ., 2011 U.S. Dist. LEXIS 66043, at *16 (E.D. Mo. June 14, 2011) (recognizing claim for negligence per se despite HIPAA); K.V. v. Women's Healthcare Network, LLC, 2007 U.S. Dist. LEXIS 102654, at *2 (W.D. Mo. June 6, 2007) (concluding that negligence per se claim based on HIPAA was a state-law claim); Harmon v. Maury County, TN, 2005 U.S. Dist. LEXIS 48094, at *11 (M.D. Tenn. Aug. 31, 2005) (permitting negligence per se claim based on HIPAA violation); Doe v. Southwest Cmty. Health Ctr., 2010 Conn. Super. LEXIS 2167, at *25–26 (2010) (denying summary judgment on negligence claim per duty imposed by common law and HIPAA). See also Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812, 817 (Del. Super. Ct. 2009) (failing to discuss HIPAA and recognizing emotional distress and negligence claims); Baum v. Keystone Health Plan, 826 F.Supp.2d 718, 721 (E.D. Pa. 2011) (permitting negligence and negligence per se claims); Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 49–50 (Minn. Ct. App. 2009) (holding Minnesota statute not preempted by HIPAA).