A recent opinion from the Connecticut Supreme Court illustrates that HIPAA is not the only law that covered entities and business associates must worry about if an unauthorized disclosure of protected health information (PHI) happens on their watch.
In Emily Byrne v. Avery Center For Obstetrics and Gynecology PC (Docket No. CV-07-6001633-S), the plaintiff filed a four-count complaint against the defendant OB-GYN provider, alleging common law allegations of breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress, after the defendant released plaintiff’s medical records in responding to a subpoena in a paternity suit. The plaintiff had instructed the defendant not to release medical records to the putative father before the defendant received the subpoena, but the opinion does not elaborate on whether the plaintiff knew that a lawsuit was imminent.
The trial court initially dismissed the negligence and negligent infliction of emotional distress claims ruling that: (1) there is no private right of action under HIPAA; and (2) common law negligence claims that amount to HIPAA violations should be preempted by HIPAA. The Supreme Court rejected the lower court’s second conclusion and remanded the case for further proceedings.
After doing an in-depth analysis of the regulatory history of HIPAA’s preemption provisions against the prevailing case law, the Supreme Court concluded that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.”
As my colleague Dianne Bourque commented to Law360, “[t]he case is an important reminder that HIPAA does not exist in a vacuum, and that a HIPAA violation may result in a variety of state law claims.”
The Supreme Court further concluded that “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA[,] its implementing regulations [and state privacy laws like Conn. Gen. Stat. § 52-146o] may be utilized to inform the standard of care applicable to such claims.”
It is clear from this case that plaintiffs are becoming more sophisticated in using HIPAA and other state privacy laws as a tool to inform private rights of action under consumer protection statutes, class actions, and common law. This highlights the importance for holders of PHI or other confidential information to stay abreast of legal developments related to privacy and security to ensure that their policies and procedures do not become obsolete and expose them to risks beyond HIPAA penalties and sanctions.