In a decision released November 11, 2014, the Connecticut Supreme Court reversed the judgment of the trial court and held for the first time in Connecticut that (1) HIPAA does not preempt state common law claims for negligence or negligent infliction of emotional distress, and (2) HIPAA may provide the applicable standard of care. The case, Emily Byrne v. Avery Center for Obstetrics and Gynecology, involved a patient who sued a healthcare clinic after the clinic released her medical records to a third party in response to a subpoena issued in a paternity suit action filed by the father of her child. The patient had specifically instructed the healthcare clinic not to release her medical records to the father. Yet upon receipt of the subpoena, the clinic did not provide notice to the patient of the subpoena or move to quash it. The patient claimed that as a result of the disclosure of her medical records, she suffered harassment and extortion threats from the father.
Although the court recognized the well-established principle that there is no private cause of action under HIPAA, it determined that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.” The court went on to hold further that “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.” The court did clarify in a footnote that its holding should not be interpreted as finding that a violation of HIPAA regulations constitutes negligence per se. The court saved that determination for another day.
The Connecticut court’s decision adds to the growing number of decisions in other states, including Missouri, Indiana, West Virginia and North Carolina, holding that HIPAA can establish the standard of care in support of common law negligence claims. What this growing trend may mean is that in the face of a HIPAA violation, healthcare providers should be mindful of the possibility of de facto enforcement of HIPAA by individual patients in addition to enforcement actions instituted by the appropriate federal agencies.