Court Allows HIPAA Negligence Claim
Experts Analyze Potential Impact of DecisionLegal experts are analyzing the potential national impact of a Connecticut Supreme Court ruling that plaintiffs can sue for negligence if a healthcare provider violates HIPAA regulations for protecting patient privacy.
See Also: The Guide to Consumer vs. Employee Privacy Rights
The Connecticut case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology involved a patient who sued a healthcare clinic that released her medical records to a third party without her authorization. But legal experts say the ruling could potentially have relevance in certain data breach cases.
"HIPAA does not provide for the 'private right of action,' or [the right of] private folks to sue under the statute," says privacy attorney Brad Rostolsky of the law firm Reed Smith. "Enforcement actions and fines for HIPAA violations are levied by federal regulators. But in a handful of cases, like this Connecticut ruling, courts have allowed HIPAA as the 'standard of care' for negligence claims."
Privacy Issues
Byrne's attorney, Bruce Elstein of the Connecticut law firm Goldman, Gruder & Woods, tells Information Security Media Group: "Before this ruling, individuals could not file a lawsuit claiming violation of their privacy under the HIPAA regulations. It was for that reason that we filed a negligence claim, claiming the medical office was negligent when it released confidential medical records contrary to the requirements set forth in the HIPAA regulations.
Bruce Elstein
"The state Supreme Court agreed that a violation of HIPAA regulations may constitute a violation of generally accepted 'standards of care,' and remanded the case back to the lower court for trial." That trial likely will take place next year, he says.
Privacy attorney Elizabeth Hodge of the law firm Akerman LLP explains that in this Connecticut case, HIPAA is the "standard of care" for protecting patient confidentiality that was used to show that a patient's privacy rights were violated. "In data breach cases, plaintiffs could argue that a healthcare provider, insurer or other covered entity did not meet the 'standard of care' with the HIPAA security or privacy rule in protecting records, and that the failure to meet that standard of care was negligent."
Rostolsky says the ruling in Connecticut not only potentially impacts covered entities in other cases, but also business associates, who are also directly liable for HIPAA compliance under the HIPAA Omnibus Rule.
Nonetheless, in negligence lawsuits, plaintiffs need to show damages, Rostolsky points out. Many class action lawsuits involving data breaches been dismissed by courts because they've lacked evidence showing that individuals impacted by a breach subsequently have been victims of fraud or have suffered other damages.
Attorneys say that because this Connecticut lawsuit has been kicked back to a lower court for trial, it's not yet clear how the case will play out.
Case Details
The suit against Avery Center for Obstetrics and Gynecology in Westport, Conn., was filed by Byrne, a former patient who now resides in Vermont.
Elstein says that in the early fall of 2004, Byrne learned that she was pregnant. "Shortly afterward, she called the Avery Center to instruct them not to release any of her medical information to the father of the child, with whom she was no longer in a relationship," Elstein says. "This request was well within her rights as protected under the HIPAA Act."
The information contained in Byrne's medical file "was highly sensitive, deeply personal and confidential," Elstein says. "But despite Byrne's clear instructions, and in violation of its own stated privacy policy, the Avery Center released her medical file [to her ex] upon subpoena. It failed to make any attempt to notify Byrne of the subpoena or to seek guidance from a court on the disclosure to be made."
The father of Byrne's child used her personal health information "for a campaign of harm, ridicule, embarrassment and extortion," Elstein alleges. "If HIPAA had been followed, Byrne would have been able to keep her sensitive and private information confidential."
Hodge says a critical mistake that the health center made was failing to contact the patient after receiving the subpoena. "They should have contacted the patient or her attorney so that she could take action" against the release of the information, she says.
Rostolsky recommends to his clients that there be "a designated person to handle subpoenas" within their organizations. "This was a big mess that could have been avoided," he says.
An attorney representing Avery Center did not respond to ISMG's request for comment.