Share this article on:
A recent ruling by the Connecticut Supreme Court could potentially pave the way for a wave of lawsuits from victims of theft and fraud who have had their protected health information disclosed and have suffered losses or harm as a result.
The case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, was heard by the court after a patient’s medical records were provided to a third party when explicit instructions were provided to the contrary. While this is just one individual case, legal experts are now considering how this ruling will apply to data breaches involving millions of potential victims.
HIPAA violations are investigated by the Office for Civil Rights of the Department of Health and Human Services and financial penalties are issued to organizations that breach regulations. HIPAA makes no provision for the private right of action to sue for loss and damage caused by non-compliance issues or data breaches, although a small number of cases have been heard by the courts where HIPAA has been allowed as the Standard of Care in negligence claims.
It was not possible for a victim of a HIPPA violation to file a lawsuit for the violation of privacy under HIPAA regulations; however Byrne’s negligence claim was heard by the court on the grounds that the release of her medical records constituted professional negligence, with the medical center having acted in a manner contrary to the rules laid down in HIPPA and subsequent amendments.
The Supreme Court agreed that the case may involve a breach of generally accepted standards of care and ruled that the case should be heard in a lower court. The case is expected to take place next year.
By building a case using HIPAA as the ‘standard of care’ that exists to protect the confidentiality of patient medical records, the issue of the privacy breach could be heard by the court as the medical center failed to meet that standard of care, was negligent, and harm was caused to the patient as a direct result.
However, in the cases of data breaches, victims could potentially bring a case to court on the same grounds if a standard of care has not been met. Healthcare providers as well as business associates would potentially be liable and all HIPAA-covered entities could face lawsuits following security breaches.
It is important to note that negligence alone is not sufficient cause to file a claim as it must be established and proven that a lapse or failure to meet a standard of care caused loss or damage as a direct result. Without an injury or loss there is no valid claim for damages. Class action lawsuits against healthcare companies have not been heard as it has not been possible to establish that any harm, loss or damage had actually occurred.
In the case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, the patient, Emily Byrne, discovered that she was pregnant and contacted the medical center and gave explicit instructions not to divulge this information to the father of her unborn child as she had finished the relationship and did not want him to know.
Emily exercised her privacy rights under HIPAA as she was entitled to do; however, the medical center released the medical records to the alleged father of the child after receiving a subpoena. It did not alert Byrne that the data was being released, nor did it seek legal advice from the courts on the matter.
After the information was obtained, the father of the child conducted a campaign of “harm, ridicule, embarrassment and extortion”. The harm caused by this campaign could have been avoided were it not for the HIPAA violation and disclosure of her medical records.
While the medical center had to respond to the subpoena, if Byrne had been notified she could have taken legal action herself. By failing to notify their patient of the release of her medical records it is alleged there has been a failure in a standard of care and that the center should have contacted the patient or her legal representative after receiving the subpoena.