Norton Rose Fulbright - Data Protection Report blog

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.  (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA.  In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA.

The facts of Byrne v Avery

The case began in May of 2004, when the plaintiff began dating Andro Mendoza, but she ended the relationship in September of 2004.  The plaintiff went to the defendant health care provider for gynecological and obstetrical care.  The defendant provided all of its patients with a notice of its privacy practices, as required by HIPAA, regarding the treatment of protected health information (“PHI”), including that the defendant would not disclose plaintiff’s PHI without her authorization.

In October of 2004, the plaintiff instructed the defendant not to release her medical records to Mr. Mendoza.  In May of 2005, Mr. Mendoza filed a paternity action against the plaintiff, and he served a subpoena on defendant to appear at a designated office and produce “all medical records” pertaining to the plaintiff.  At this point, the defendant could have (a) notified the plaintiff of the subpoena; (b) filed a motion to quash the subpoena; or (c) appeared in court.  Instead, the defendant mailed a copy of the plaintiff’s medical file to the court, and Mr. Mendoza reviewed the entire file.  The plaintiff then filed a motion to seal the file, which the court granted.  The plaintiff then claimed that she suffered harassment and extortion threats from Mr. Mendoza since he viewed her medical information.

The Byrne v Avery lawsuit and initial court rulings

The plaintiff sued the defendant in Connecticut state courts, alleging four causes of action:

  1. Breach of contract by violating the privacy policy by disclosing her PHI without authorization;
  2. Negligence, by failing to use proper and reasonable care to protect her medical file and disclosing it in violation of Connecticut law (General Statutes § 52-146o) and the HIPAA regulations;
  3. Negligent misrepresentation, upon which the plaintiff relied to her detriment, that her health information would be protected in accordance with the law; and
  4. Negligent infliction of emotional distress.

Both parties moved for summary judgment.  The trial court ruled for the defendant on counts 2 and 4, finding that HIPAA pre-empted those claims: count 2 was pre-empted because HIPAA pre-empted the Connecticut statute and count 4 was pre-empted because it would permit a private right of action for a claim that amounted to a HIPAA violation.  Consequently, the trial court dismissed these two counts for lack of subject matter jurisdiction.

On the other hand, the court denied both parties’ summary judgment motions on counts 1 and 3, finding that the breach of contract and negligent misrepresentation claims raised genuine issues of material fact.  Plaintiff appealed all the way to the Connecticut Supreme Court, which ruled that HIPAA did not pre-empt the plaintiff’s state common-law causes of action for negligence or negligent infliction of emotional distress, and that the HIPAA regulations “may inform the applicable standard of care in certain circumstances.”  314 Conn. At 436, 102 A.3d 32.  The court remanded back to the trial court.

On remand, the defendant again moved for summary judgment, this time claiming that no Connecticut court had ever recognized a common-law cause of action against a health care provider for breach of duty of confidentiality for responding to a subpoena.  The trial court agreed.  The plaintiff again appealed all the way to the Connecticut Supreme Court.

The January 2018 Byrne v Avery ruling

The Connecticut Supreme Court ruled that “recognizing a cause of action for the breach of the duty of confidentiality in the physician-patient relationship by the disclosure of medical information is not barred by § 52-146o [the Connecticut law] or HIPAA and that public policy, as viewed in a majority of other jurisdictions that have addressed the issue, supports that recognition.” 327 Conn. At 550.  The court also stated that it has the inherent authority “pursuant to the state constitution, to create new causes of action.”  Id. at 554.

The court quoted its previous opinion in this case relating to HIPAA regulations as a standard:

to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.

327 Conn. at 556-557, quoting 314 Conn. at 458-459.  The court concluded that:

a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship for the purpose of treatment gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.

327 Conn. at 567-568.  The court then reversed and remanded the case.

Other states, including New York, Massachusetts and Missouri, have issued similar rulings regarding a patient’s right to sue over confidentiality breaches. We will continue to follow this line of cases and provide updates on our blog.

* * *

Subscribe to posts from Data Protection Report.