The Health Insurance Portability and Accountability Act (HIPAA), while requiring protected health information be kept private, does not provide for a private right of action based on a HIPAA violation. Rather, an individual may file a complaint with the Office of Civil Rights if he or she believes a violation of their right to privacy or private medical information security under HIPAA has occurred.

However, a recent decision in the State of Connecticut (Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 2014 WL 5507439 (2014)) offers yet another example of alternative state-law claims that are being permitted by the courts for improper disclosure of protected health information based on HIPAA privacy standards. These potential state tort claims include Invasion of Privacy, Breach of Confidentiality, Negligence and Infliction of Emotional Distress.

Given this and prior decisions, healthcare providers and their business associates need to ensure compliance with HIPAA privacy and security standards; especially the completion of a risk assessment and development of policies and procedures for access, use and disclosure of protected health information by staff.