In November 2014, the Connecticut Supreme Court decided in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. [2014] (The 'Byrne Case'), that an action for negligence arising from health care providers' breach of patient privacy is not preempted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The decision reversed a previous trial court decision, which concluded that Mr. Byrne's state law claims for negligence and negligent infliction of emotion distress were preempted by HIPAA.

Michael J. Kline and Elizabeth G. Litten discuss the implications of the Supreme Court decision that allowed HIPAA to be used as a basis for state negligence by a plaintiff.

Background

HIPAA lacks a private right of action and preempts state laws that are 'contrary' to HIPAA. Consequently, the Connecticut Supreme Court allows plaintiffs to import federal privacy standards into actions for the state court, which allege privacy violations and seek remedies under state law. In the Byrne Case, it was decided that "Assuming, without deciding, that Connecticut's common law recognizes a negligence cause of action arising from health care providers' breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances."

This decision adds the Connecticut Supreme Court to the extending list of lower courts that agree that HIPAA's lack of a private right of action does not necessarily foreclose action under state statutory and common law using HIPAA requirements as the standard for reasonable care.

The Byrne Case holds significance, as it will be the first decision by the highest court of a state that asserts state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA to prohibit individuals from seeking recourse in state courts for breaches of HIPAA that implicate negligence standards under state statutory or case law. It acknowledges that HIPAA may be the most adequate standard of care to determine the presence of negligence.

The Byrne Case- Not a "Garden Variety" Breach

The Byrne Case is, in itself, interesting because it is related to the alleged attempt of the defendant physician practice group to comply with a state court subpoena and the practice's resulting violation of HIPAA.

Emma Byrne, the patient in this case, brought an action against her health care provider for improperly breaching the confidentiality of her medical records and alleged claims for negligence and negligent infliction of emotional distress under Connecticut state law. The following facts were found irrefutable in court:

  • The defendant physician practice group provided the plaintiff with gynecological and obstetrical care and treatment.
  • The defendant provided its patients, including the plaintiff, with notice of its privacy policy regarding PHI under HIPAA and agreed, based on this policy and on law, that it would not disclose the plaintiff's health information without her authorization.
  • The plaintiff later began a personal relationship with an individual ('the Individual') that ended five months later, after which time the plaintiff instructed the defendant not to release her medical records to the Individual.
  • Thereafter, the defendant was served with a subpoena requesting its presence together with the plaintiff's medical records at a court proceeding.
  • The defendant did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court.
  • The defendant mailed a copy of the plaintiff's medical file to the court.
  • The Individual informed the plaintiff by telephone that he had reviewed the plaintiff's medical file in the court file.

Claiming that she suffered harassment and extortion threats from the Individual after he viewed her medical records, the plaintiff then sued the defendant for breach of contract when it violated its privacy policy by disclosing her PHI without authorization. She alleged that the defendant acted negligently by failing to use proper and reasonable care in protecting her medical file and disclosing it without authorization under state statutory law and HIPAA. The plaintiff also claimed the defendant engaged in conduct constituting negligent infliction of emotional distress.

Actions That Are Suggested by the Results of the Byrne Case

The Byrne Case establishes important implications for HIPAA matters beyond allowing individuals to sue under state tort law, using a violation of HIPAA regulations as the standard of care. A 'covered entity' ('CE') and a 'business associate' ('BA'), as defined under HIPAA, may also respond to the Byrne Case with the following actions:

  • CEs and BAs should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits. Such coverage should not be limited to coverage for HIPAA violations, but should cover any types of losses resulting from a data breach, including a breach of PHI, PHR or PI arising under federal or state law.
  • Business associate agreements ('BAAs') should be reviewed to see if they include obligations regarding individual health information arising under federal and/or state laws other than HIPAA. BAAs may expose the

Conclusion As a result of the Byrne Case, efforts to use HIPAA regulations or other federal statutes and regulations, as standards for causes of action under state law involving breaches relating to individual health information, can be expected to rise. This area will be the source of expanded litigation and uncertainty in jurisdictions around the country, unless and until the Supreme Court of the United States renders its opinion on the matter.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.