March 02, 2015 Top Story

HIPAA Permits State Law Actions for Breach of Confidentiality

In a negligence action against a health-care provider, HIPAA may provide standard of care

Robert Denny

Even though the Health Insurance Portability and Accountability Act of 1996 (HIPAA), does not itself provide a private right of action, HIPAA may provide the standard of care in a negligence action against a health-care provider for privacy violations, according to the Connecticut Supreme Court in Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C. While the decision may not change the requirements businesses must follow when responding to subpoenas for health information, it underscores the need for businesses to have sound privacy policies in place.

Plaintiff’s Medical Records Disclosed 

The plaintiff received treatment at an obstetrics and gynecology center where she received a privacy notice explaining that her health information would not be disclosed without her authorization. She explicitly instructed the center not to disclose her medical records to Andro Mendoza, an individual with whom she formerly had a relationship.

Mendoza later brought a paternity suit against the plaintiff and subpoenaed her medical records from the center. In response to the subpoena, the center produced the plaintiff’s medical file, but did not notify the plaintiff of Mendoza’s request. The plaintiff alleged that after reviewing her file, Mendoza harassed her and threatened her with extortion.

Privacy Action Dismissed 

The plaintiff sued the center in Connecticut state court. She asserted several allegations, including that the center negligently disclosed her medical records, without authorization, in violation of HIPAA regulations and Connecticut statute. Both parties moved for summary judgment.

The trial court held that “HIPAA preempts any action concerning confidentiality/privacy of medical information.” Recognizing that HIPAA does not create a private right of action, the court dismissed the plaintiff’s negligence claims, concluding that HIPAA violations must be pursued through the Department of Health and Human Services’ “administrative channels.”

HIPAA Can “Inform” the Standard of Care 

On appeal to the Connecticut Supreme Court, the plaintiff argued that negligence actions where HIPAA provides the standard of care “complement rather than ‘obstruct’ HIPAA for preemption purposes.” The center, on the other hand, argued that since HIPAA barred private rights of action, its requirements could not be used as the standard of care in a negligence action. The Connecticut high court agreed with the plaintiff.

The court recognized that HIPAA “supersede[s] any contrary provision of State law,” unless the state law is more stringent. Based on the statute’s regulatory history, the court reasoned that state law tort actions based on an unauthorized release of medical records were not intended to be preempted by HIPAA.

As a result, the court concluded that HIPAA did not preempt a cause of action “arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena.” The court went on to note that HIPAA could “inform the standard of care” in certain circumstances.

Robust, Up-to-Date Privacy Policies Are Essential 

This case could “have a tremendous impact on the industry, especially given that it was decided after the HITECH Act,” notes Ryan P. Blaney, Washington, D.C., member of the ABA Section of Antitrust Law’s Health Care and Pharmaceuticals Committee. “This means that it applies both to health-care providers and business associates. So you could have a copy vendor, a data analytics company, or somebody that is not a health-care provider but is a business associate of a health-care provider, being caught up in this same type of litigation,” notes Blaney.

“While this decision has caused significant concern among HIPAA practitioners, it is important to note that the plaintiff specifically instructed the health-care provider not to give her records to this individual,” adds Layna S. Cook, Baton Rouge, LA, member of the ABA Health Law Section. This decision “is a good warning that the government might not be the only person coming after you if you do not have adequate privacy policies or you are not following them,” she continues. “Businesses need to be as diligent as ever, but I do not think the decision imposes any new obligation on them—just a new area of liability perhaps,” adds Cook.

“Make sure you have up-to-date policies, that they fit your practice, and that your folks are trained on those policies,” Cook suggests. Moreover, in responding to a subpoena for health information, “businesses need to ensure that they only turn over documents that are minimally necessary to respond to a request,” says Blaney. “Businesses should negotiate the scope of the subpoena and eliminate or narrow the production of Protected Health Information (PHI). For example, if the subpoena requests medical records related to X, Y, and Z, but the underlying case only relates to Y, the respondent should only agree to produce the PHI that relates to Y,” he advises.

Robert Denny is a contributing editor for Litigation News.

Keywords: HIPAA, health care, negligence, privacy, health records

Related Resources

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).