On November 11, 2014, the Connecticut Supreme Court ruled that HIPAA does not preempt Connecticut State common law claims for negligence or negligent infliction of emotional distress, and that HIPAA may provide the applicable standard of care. The Connecticut decision joins a number of decisions in other States, including Missouri, Indiana, West Virginia and North Carolina, holding that HIPAA can establish the standard of care in support of State common law negligence claims.
In Byrne v. Avery Center, the plaintiff received gynecological and obstetrical services from the defendant Avery Center. After the plaintiff ended a relationship with a man named Mendoza, he filed several paternity suits against her, and in connection with the paternity suits, defendant Avery Center was served with a subpoena for the plaintiff’s medical records. Instead of seeking plaintiff’s authorization to disclose the records, obtaining a protective order, or filing a motion to quash, the defendant mailed a copy of the medical records to the court. Before the plaintiff was able to file a motion to seal her records, Mendoza viewed them. The plaintiff alleged that she suffered harassment and extortion threats from Mendoza after he viewed her medical records, and that Mendoza was able to use the information to file several civil actions, including paternity and visitation actions. On motions for summary judgment by both parties, the trial court dismissed the plaintiff’s negligence and negligent infliction of emotional distress claims, noting that it is well-settled that HIPAA does not provide a private right of action and that HIPAA preempts any action dealing with confidentiality/privacy of medical information. The plaintiff appealed and the Connecticut Supreme Court reversed the trial court as described above. Click here to read the Connecticut decision.
The lesson from Byrne is that while it is generally understood that there is no private right of action under HIPAA, healthcare providers and their business associates should be mindful of the potential for de facto enforcement of HIPAA via State law negligence claims by individual patients in addition to enforcement actions instituted by State Attorneys General and federal agencies. For questions about HIPAA compliance issues, contact a member of the McGrath North Privacy and Data Security Group.