Patients can sue doctors for negligence after alleged patient privacy breaches, the Connecticut Supreme Court has ruled in a decision that could have nationwide implications.
The state’s highest court concluded that HIPAA does not preempt claims for emotional distress or negligence under state law. The ruling, published Nov. 11, sets precedence in Connecticut and is likely to encourage plaintiffs to raise similar claims in other states, according to Michael J. Kline, a New Jersey attorney who specializes in corporate and securities law.
Michael J. Kline
“It’s a momentous case, and I think it’s serious for physician practices,” said Mr. Kline. “It can set the stage for plaintiffs’ attorneys within given states to [pursue] class actions for emotional distress or invasion of privacy on the grounds there was negligence” in connection to HIPAA violations.
The decision stems from a lawsuit filed by Emily Byrne v. Avery Center for Obstetrics and Gynecology P.C. in Westport, Conn. Ms. Byrne claimed that in 2004, she instructed the health center not to release her medical records to an ex-boyfriend. In 2005, the medical center was served with a subpoena by the former boyfriend requesting the plaintiff’s medical records for a paternity proceeding. The defendant did not alert Ms. Byrne about the subpoena and mailed a copy of her medical file to the probate court, according to court records.
Ms. Byrne later sued the health care center, claiming she suffered harassment and extortion threats from her ex-boyfriend because the medical records were exposed. The complaint alleged the health center engaged in negligent infliction of emotional distress and acted negligently by failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of HIPAA.
A trial court agreed with the medical practice’s contention that HIPAA precludes individual liability claims pertaining to confidentiality of medical information. The court cited well-established case law that HIPAA does not create a private right of action and requires alleged privacy violations to be raised through administrative channels. But the Connecticut Supreme Court overturned the decision, ruling that HIPAA does not preempt such negligence lawsuits.
“If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims,” judges said in their opinion. “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
The court went on to say that “the availability of such private rights of action in state courts ... do not preclude, conflict with, or complicate health care providers’ compliance with HIPAA.”
Similar decisions have been made by other courts, but the Connecticut ruling is the first state Supreme Court to issue such a ruling, Mr. Kline said.
For example, in Harmon v. Maury County, the U.S. District Court for the Middle District of Tennessee found that negligence claims founded on violation of HIPAA were not precluded because federal provisions do not completely preempt state law and expressly preserve state laws that aren’t at odds with its terms. The 2005 Tennessee case resulted from a privacy violation claim by a patient against a pharmacy manager. In another pharmacy-patient complaint, Fanean v. Rite Aid Corp. of Delaware Inc., the Superior Court of Delaware concluded that negligence claims could not be premised on a HIPAA violation, but that a common law negligence claim could be predicated upon Occupational Safety and Health Administration requirements. The 2009 opinion noted that HIPAA may act as a “guidepost” to determine the standard of care in common-law negligence claims.
The similar assertions by Connecticut judges that HIPAA does not preempt state rights and can also be used as a standard for what constitutes negligence or improper care of records is concerning for health providers, Mr. Kline said in an interview. Doctors now have to worry that inadvertent HIPAA violations may yield not only a complaint with the Office for Civil Rights, but a potential malpractice suit, as well.
“I would not be surprised if a case like this or even this case is appealed to the Supreme Court of the United States,” Mr. Kline said. “It is still a question of federal law, and what does the federal preemption mean?”