Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations

There is no private cause of action in the Health Insurance Portability and Accountability Act, so patients are not permitted to sue healthcare providers for privacy violations.

However, there have been rulings in several states, including New York, Missouri, and Massachusetts, allowing patients to file lawsuits against healthcare providers over unauthorized and negligent disclosures of medical records.

Following a ruling by the Connecticut Supreme Court last week, Connecticut residents will be permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm.

The legal precedent was set by the Supreme Court in the case Byrne v. Avery Center for Obstetrics & Gynecology.

Emily Byrne filed a lawsuit against Avery Center for Obstetrics and Gynecology (ACOG) after her medical records were disclosed to a man seeking custody of her child in a paternity suit.

ACOG was issued with a subpoena to appear before an attorney and supply Byrne’s medical records. ACOG did not challenge the subpoena, made no attempt to limit disclosure, and simply mailed a copy of Byrne’s medical file to the New Haven Regional Children’s Probate Court, where the records were made available to the man seeking custody of her child.

Byrne and her attorney, Bruce L. Elstein of Trumbull, claimed this amounted to negligence and breach of contract. ACOG claimed that under HIPAA Rules, patient consent was not required before medical records were disclosed in response to a subpoena.

Byrne argued that HIPAA creates a standard of care for patient medical records, and Avery violated that standard by releasing her records. Byrne lost the case in the Superior Court, which ruled that HIPAA does not permit private suits to be filed against healthcare providers for HIPAA violations. Byrne appealed, and the case was heard by the Supreme Court, which ruled in 2014 that HIPAA could be used as a standard of care for common law claims.

The case went before the Supreme Court for a second time after the trial court deferred the case as no courts had addressed the issue of negligence.  The Supreme Court disagreed with ACOG’s argument that patient consent is not required before medical records are disclosed in response to a subpoena, saying federal laws require the provider to have “satisfactory assurances” that a patient has been given notice about the request.

In this case, satisfactory assurances had not been obtained. Justice Dennis G. Eveleigh wrote, “the defendant did not even comply with the face of the subpoena.”

In the ruling, Justice Eveleigh wrote, “The dispositive issue in this appeal is whether a patient has a civil remedy against a physician if that physician, without the patient’s consent, discloses confidential information obtained in the course of the physician-patient relationship.’’

“We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.”

“Finally, we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages,” said Elstein.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.