November 14, 2014
In a first-of-its-kind decision in the state, the Connecticut Supreme Court has ruled that patients can bring negligence lawsuits against health care providers that violate federal privacy regulations.
The ruling will allow a Vermont woman’s negligence lawsuit against a Westport gynecologist’s office to go to trial. It could also have national implications, according to legal experts with knowledge of the Health Insurance Portability and Accountability Act.
HIPAA, which was passed into law in 1996 and been expanded upon ever since, offers stringent protections for patients with regard to the privacy of their health information. Personal health information may not be disclosed to any third party without authorization of the patient. In the event of an unintentional or inadvertent release, medical providers must take a series of steps to mitigate the harm, including promptly alerting the patient.
Until now, lawsuits seeking damages for negligence or emotional distress as a result of any breach of information protected by HIPAA were not permitted under Connecticut law. But in the case of Byrne v. Avery Center for Obstetrics and Gynecology, the court ruled that HIPAA does not preempt common-law causes of action for negligence for HIPAA violations. As a result, similar lawsuits against medical providers are expected.
“The decision adds the Connecticut Supreme Court to a growing list of courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law,” Michael Kline, a partner at Fox Rothschild in Princeton, N.J., whose national client list includes hospitals and skilled nursing facilities, wrote in a blog entry on the topic. “This, however, has added significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA. Moreover, it recognized that HIPAA may be the appropriate standard of care to determine whether negligence is present.”
As a result, lawyers in practices ranging from privacy law and professional malpractice to health law say many plaintiffs may feel emboldened to bring lawsuits for medical privacy violations. “I think you are going to see a lot more litigation in this area,” said Bruce Elstein, of Norwalk-based Goldman, Gruder & Woods, the plaintiff’s attorney in Byrne.
The Connecticut case involved a patient who sued a health care clinic that released her medical records to a third party without her authorization. The plaintiff, Emily Byrne, claims that the Avery Center for Obstetrics and Gynecology in Westport released private information about her pregnancy to the father of the child Byrne delivered in 2005, against her instructions.
The center moved to block the lawsuit on the grounds that the language in HIPAA precludes individual liability claims. The center’s lawyer, James Rosenblum of Stamford, also argued that no negligence lawsuit could be brought because the administrative remedies had not been exhausted. Those remedies include filing a complaint with the federal Department of Health and Human Services, which investigates such claims and potentially levies fines against medical offices.
The Avery Center prevailed in Superior Court, which led to an appeal to the Supreme Court.
In its unanimous Nov. 4 decision, Justice Flemming Norcott Jr., who is now retired but was a member of the court when the case was heard in 2012, determined that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of the plaintiff’s medical records.”
The ruling, which follows similar decisions in Missouri, North Carolina and West Virginia, said such claims can be pursued in civil lawsuits if the plaintiffs can show the “generally accepted standard of care” was not followed. The Connecticut court found there is evidence that the standard of care was not followed in Byrne’s case. Specifically, the decision said, Byrne was never informed of the request for her records made by Andro Mendoza, her former boyfriend. And the records he was provided with were beyond what he requested.
The lawsuit will now be placed on a trial docket in Bridgeport Superior Court.
William Roberts, a member of Shipman & Goodwin’s health law practice group and life sciences and medical products client team, said the decision will have ripples beyond the health care industry.
In 2013, the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) brought business associates of health care providers and employees of health insurance companies under HIPAA. The law not only covers the unauthorized distribution of paper records but the accidental release of digital records in a data breach situation.
“It often applies to law firms, consultants, accountants and others who provide services to health care providers and health plans,” said Roberts. “The release of records in violation of HIPAA by any of these entities may also now be the basis for a negligence claim.”
Roberts said federal agencies have rarely handed out fines or penalties for HIPAA violations. The Connecticut court opinion, he said, “greatly increases the potential liability” for health care providers.
The Connecticut Trial Lawyers Association and other bar groups are also weighing the potential impact of the ruling. CTLA President Angelo Ziotas, a partner with Silver Golub & Teitel, said it’s clear that lawyers will pay closer attention to HIPAA regulations when requesting records on behalf of their clients. “There may be more litigation,” Ziotas said. “I think the facts of this case are fairly unique, where you have a wrongful release of medical records which leads to a tangible injury where a claim can be brought. Usually, there is not enough damages to justify litigation.”
In Byrne, the plaintiff is seeking damages for emotional distress stemming from the release of her medical records. According to her complaint, Byrne learned she was pregnant in late 2004. “Shortly afterward, she called the Avery Center and instructed them not to release any of her medical information to the father of the child, with whom she was no longer in a relationship,” Elstein said. “This request was well within her rights as protected under the HIPAA act.” But the center responded to a subpoena by Mendoza, who had filed a paternity suit against Byrne, and released her medical records.
The only other time the issue was raised in Connecticut was in 2007. In Fisher v. Yale, the Supreme Court ruled that a Connecticut Unfair Trade Practices Act claim could not be pursued against a medical office that released records without a patient’s permission. The court also held that negligence claims in those instances were not permissible because of HIPAA’s administrative remedies. “This decision reverses that holding,” Elstein said.
Elstein said in the two years since he brought the Supreme Court challenge, he’s been approached by “six to 12” Connecticut lawyers who told him they have potential lawsuits involving medical records that were improperly released in violation of HIPAA. “People have been asking me if they can sue for HIPAA violations, and my answer up until now has been, ‘Stay tuned,'” he said. “But my answer today to that question, is ‘yes.'”
Read more: http://www.ctlawtribune.com/id=1202676495229/Conn-Medical-Records-Ruling-Could-Have-Widespread-Impact#ixzz3JLfize27
203-899-8900