Reversing a lower court decision, the Connecticut Supreme Court has ruled that patients have a state tort cause of action against health care providers who disclose patients’ confidential medical information without their consent. The court acknowledged that it was recognizing a new tort cause of action and did so only after carefully considering existing privacy protections for both patients in Connecticut and in other states.
Reversing a lower court decision, the Connecticut Supreme Court has ruled that patients have a state tort cause of action against health care providers who disclose patients’ confidential medical information without their consent. (Byrne v. Avery Ctr. for Obstetrics & Gynecology, 2018 WL 386488 (Conn. Jan. 16, 2018).)
In May 2005, Mendoza filed paternity actions against Byrne in Connecticut and Vermont and sent the center a subpoena requesting all of Byrne’s medical records. The center did not notify Byrne, file a motion to quash the subpoena, or petition a judge for instructions on how to respond. Instead, the center mailed a copy of Byrne’s complete medical file to a Connecticut court, where Mendoza accessed it. After reviewing the file, Mendoza allegedly began to harass Byrne and attempt to extort money from her. In September 2005, Byrne filed a motion to seal her medical records, which was granted.
Byrne later sued the center, alleging, among other claims, that it was negligent in releasing her medical file without her knowledge or consent and that its actions constituted negligent infliction of emotional distress. The trial court granted the defendant summary judgment as to these claims, ruling they were preempted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In 2014, the Connecticut Supreme Court reversed, stating that if Connecticut common law “provides a remedy for a health care provider’s breach of its duty of confidentiality . . . [then] HIPAA does not preempt the plaintiff’s state common-law causes of action for negligence or negligent infliction of emotional distress” and could be used to “inform the applicable standard of care” for handling records. (Byrne v. Avery Ctr. for Obstetrics & Gynecology, 314 Conn. 433 (Conn. 2014).) The court, however, declined to determine whether Connecticut common law provided such a remedy and remanded for further proceedings.
On remand, the trial court granted summary judgment to the defendant on the two negligence counts, finding that Connecticut courts had not “recognized or adopted a common-law privilege for communications between a patient and physicians.” In 2018, the Connecticut Supreme Court reversed again, ruling that a physician-patient relationship creates a “duty of confidentiality” and that a health care provider’s “unauthorized disclosure of confidential [medical] information . . . gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.”
The court acknowledged that it was recognizing a new tort cause of action and did so only after carefully considering existing privacy protections for both patients in Connecticut and in other states. “The court analyzed relevant laws from other jurisdictions—in particular, South Carolina, Massachusetts, and Missouri—and also reviewed HIPAA’s legislative history,” said Trumbull, Conn., attorney Bruce Elstein, who represents the plaintiff. “Ultimately, they concluded that, as is the case in the majority of jurisdictions that have addressed this question, having a common law cause of action for a health care provider’s breach of medical records is necessary to protect patients.”
“When the subpoena for my client’s records arrived,” Elstein continued, “the defendant failed to comply with HIPAA in even the most rudimentary way. They didn’t consult with a lawyer, and they didn’t even review their own privacy manual. As a result of this failure, my client’s most private medical records—her complete ob-gyn file—were released without her consent. Until now, she—and all Connecticut patients like her—did not have recourse after a breach like this happened. But after this decision, patients finally have a remedy when a medical provider negligently handles their private health information. This decision values the rights of patients, making us all safer.”