Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention when responding to subpoenas but now they must also worry about broader breach of confidentiality claims by patients.
In Byrne, the state Supreme Court concluded that the unauthorized disclosure of confidential information obtained in the course of the physician-patient relationship for treatment purposes gives rise to an action for breach of duty of confidentiality.
The patient in Byrne instructed that her OB/GYN not release any of her information to her ex-boyfriend. The ex-boyfriend later filed paternity actions in two states and issued a subpoena to the provider for the patient’s medical records. The subpoena instructed the provider to send a custodian of records to the regional probate court with the records. Instead of appearing in person with the records, filing a motion to quash or notifying the patient of the request and seeking her permission, the provider simply mailed the records to the court. The court clerk inserted the records in the public court file, which allowed the ex-boyfriend full access to the patient’s records. According to the patient, after her ex-boyfriend viewed her records, he began to harass and threaten her.
In reaching its conclusion that the patient could sue a physician for breach of confidentiality, the Court relied on a number of factors including a state statute that grants privilege to physician/patient communications without providing any penalty for violations (Conn. Gen. Stat. § 52-146o) and the decisions by numerous other states to recognize such a cause of action. Although the Court did not outline elements for this new cause of action or provide other guidance as to the conduct that the plaintiff must prove to be successful in her cause of action, it pointed to an earlier decision in which it explained that HIPAA "may be utilized to inform the standard of care" if a breach of duty of confidentiality cause of action existed.
Notably, while the decision addressed only the physician/patient relationship, state courts likely will apply the reasoning in Byrne to other health care providers because Connecticut statutes recognize a number of other classes of providers as having a confidential relationship with patients. Such providers include psychiatrists, psychologists, social workers, licensed marriage family therapists, and domestic violence /sexual assault counselors among others. See Conn. Gen. Stat. §§ 52-146c et seq.
What Does This Mean For Health Care Providers?
This decision means that HIPAA and state privacy law compliance is more important than ever before. Specifically, a breach of protected health information ("PHI") under HIPAA can now subject providers to private lawsuits for a breach of a duty of confidentiality. It may also mean that providers that fail to follow internal policies or procedures regarding privacy could be sued for a breach of duty of confidentiality.
In addressing this new legal risk, understanding how to handle subpoenas should be a top priority. The following must be clear to everyone handling subpoenas: a subpoena alone does not permit the disclosure of PHI. The patient’s written authorization or a specific court order must accompany a subpoena. While HIPAA permits the disclosure of PHI in response to subpoenas under other limited circumstances, it is not required and in light of the Byrne decision, it is not advisable.
In addition, providers need to assess compliance with privacy laws generally, including HIPAA, and step-up compliance efforts across their organizations. This includes compliance with state and federal laws that provide more protection than HIPAA, such as laws that apply to mental health, HIV/AIDS and substance abuse records. It is likely that compliance with these laws will be the measuring stick for determining whether a provider breached a duty of confidentiality in a lawsuit brought by a patient.