HIPAA Permits State Law Actions for Breach of Confidentiality
By Robert Denny, Litigation News Contributing Editor – March 2, 2015

Even though the Health Insurance Portability and Accountability Act of 1996 (HIPAA), does not itself provide a private right of action, HIPAA may provide the standard of care in a negligence action against a health-care provider for privacy violations, according to the Connecticut Supreme Court in Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C. While the decision may not change the requirements businesses must follow when responding to subpoenas for health information, it underscores the need for businesses to have sound privacy policies in place.

Plaintiff’s Medical Records Disclosed
The plaintiff received treatment at an obstetrics and gynecology center where she received a privacy notice explaining that her health information would not be disclosed without her authorization. She explicitly instructed the center not to disclose her medical records to Andro Mendoza, an individual with whom she formerly had a relationship.

Mendoza later brought a paternity suit against the plaintiff and subpoenaed her medical records from the center. In response to the subpoena, the center produced the plaintiff’s medical file, but did not notify the plaintiff of Mendoza’s request. The plaintiff alleged that after reviewing her file, Mendoza harassed her and threatened her with extortion.

Privacy Action Dismissed
The plaintiff sued the center in Connecticut state court. She asserted several allegations, including that the center negligently disclosed her medical records, without authorization, in violation of HIPAA regulations and Connecticut statute. Both parties moved for summary judgment.

The trial court held that “HIPAA preempts any action concerning confidentiality/privacy of medical information.” Recognizing that HIPAA does not create a private right of action, the court dismissed the plaintiff’s negligence claims, concluding that HIPAA violations must be pursued through the Department of Health and Human Services’ “administrative channels.”

HIPAA Can “Inform” the Standard of Care
On appeal to the Connecticut Supreme Court, the plaintiff argued that negligence actions where HIPAA provides the standard of care “complement rather than ‘obstruct’ HIPAA for preemption purposes.” The center, on the other hand, argued that since HIPAA barred private rights of action, its requirements could not be used as the standard of care in a negligence action. The Connecticut high court agreed with the plaintiff.

The court recognized that HIPAA “supersede[s] any contrary provision of State law,” unless the state law is more stringent. Based on the statute’s regulatory history, the court reasoned that state law tort actions based on an unauthorized release of medical records were not intended to be preempted by HIPAA.

As a result, the court concluded that HIPAA did not preempt a cause of action “arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena.” The court went on to note that HIPAA could “inform the standard of care” in certain circumstances.

Robust, Up-to-Date Privacy Policies Are Essential           
This case could “have a tremendous impact on the industry, especially given that it was decided after the HITECH Act,” notes Ryan P. Blaney, Washington, D.C., member of the ABA Section of Antitrust Law’s Health Care and Pharmaceuticals Committee. “This means that it applies both to health-care providers and business associates. So you could have a copy vendor, a data analytics company, or somebody that is not a health-care provider but is a business associate of a health-care provider, being caught up in this same type of litigation,” notes Blaney.

“While this decision has caused significant concern among HIPAA practitioners, it is important to note that the plaintiff specifically instructed the health-care provider not to give her records to this individual,” adds Layna S. Cook, Baton Rouge, LA, member of the ABA Health Law Section. This decision “is a good warning that the government might not be the only person coming after you if you do not have adequate privacy policies or you are not following them,” she continues. “Businesses need to be as diligent as ever, but I do not think the decision imposes any new obligation on them—just a new area of liability perhaps,” adds Cook.

“Make sure you have up-to-date policies, that they fit your practice, and that your folks are trained on those policies,” Cook suggests. Moreover, in responding to a subpoena for health information, “businesses need to ensure that they only turn over documents that are minimally necessary to respond to a request,” says Blaney. “Businesses should negotiate the scope of the subpoena and eliminate or narrow the production of Protected Health Information (PHI). For example, if the subpoena requests medical records related to X, Y, and Z, but the underlying case only relates to Y, the respondent should only agree to produce the PHI that relates to Y,” he advises.

Keywords HIPAA, health care, negligence, privacy, health records

Related Resources
Shareholder Loses Discrimination Claim and Ordered to Pay Fees
Discovery Responsibilities: Separate but Not Equal/a>