Published on Nov 17, 2014 The risk of liability just went way up for mishandling sensitive health information, and perhaps also other types of private information protected by federal statutes.
On November 11, 2014, the Connecticut Supreme Court determined that HIPAA can created a standard for a private right of action under state law for a victim who had her protected health information wrongfully disclosed to a third party during discovery. Byrne v. Avery Center for Obstetrics and Gynecology, P.C.[1] holds that the state court may look to HIPAA standards to determine the “standard of care” that should be applied in determining a state law negligence claim. Therefore, the plaintiff’s negligence claim against her healthcare provider may be based on the providers’ disclosure of her health records in violation of HIPAA, effectively creating a private right of action for HIPAA violations under state law –even though HIPAA itself does not provide a private right of action.[2] The court also held that HIPAA does not preempt the state law.
In a paternity lawsuit against the patient by her ex-boyfriend, her healthcare provider produced the patient’s medical records to the ex-boyfriend without notifying her. The patient then sued the healthcare provider for negligence and negligent infliction of emotional distress under state law, alleging that as a result of the disclosure, she suffered harassment and extortion threats from her ex-boyfriend.
Notably, this assumed but did not find that Connecticut’s common law permitted a claim for a health care’s breach of a duty of confidentiality through responding to a subpoena. It only found that if such a claim can exist, it may rely on HIPAA standards.
This decision is significant for two big reasons:
First, if you or your company are responsible for a HIPAA disclosure as either a healthcare provider, health plan, health care clearinghouse, or a Business Associate (BA) of a covered entity, liability can now go beyond a penalty by the government. The persons who were the subject of any wrongful disclosure have the right to sue for the disclosure. This could involve a single plaintiff, as in this case, or, in cases of large disclosures or data breaches, companies may find themselves faced with a class action of many suspected victims.
Second, this decision may have wider implications than just HIPAA. U.S. privacy law is a patchwork of many regulations, many of which do not provide a federal right of action.[3] If all federal standards for privacy or security violations can be applied to state causes of action based on negligence, any disclosure violating those standards could now result in private actions. This may greatly increase the risks of data leaks and breaches that involve any personal information, not just health records.
[1] 2014 WL 5507439 (Conn. Nov. 11, 2014).
[2] The court found the “single mention [of HIPAA in the complaint] as providing one of several bases for establishing the standard of care applicable to the plaintiff’s common-law negligence claims and not as asserting an independent cause of action.” Other causes of action included misrepresentation by the provider because its privacy policy, provided to the plaintiff when she was a patient, stated that it complied with HIPAA.
[3] E.g., see Gonzaga University v. Doe, 122 S. Ct. 2268 (2002) (Federal Educational Rights and Privacy Act (FERPA) does not create a private right of action under federal law).
