Healthcare providers receiving a subpoena for patient medical records may want to think twice before complying with the subpoena and producing the records. A recent Connecticut case, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. ("Byrne"), arose when the defendant gynecology center received a subpoena to produce the medical records of its patient, who was also a party in a separate action, and the center complied with the subpoena by producing the medical records. The center did not obtain its patient's authorization and had not received satisfactory assurances that the requesting party had attempted to notify the patient of the subpoena or had attempted to seek entry of a qualified protective order.
The patient contended that she experienced harassment and extortion as a result of the production of her medical records in the separate lawsuit and sued her gynecology center for releasing the records. Among the claims the patient asserted was that the center was negligent in failing to use reasonable care in protecting her medical file, including disclosing the records in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C § 1302d et seq.
The patient's reference to HIPAA was based on the HIPAA privacy regulation, 42 C.F.R. § 164.512(e), which permits disclosure of a patient's medical records for judicial or administrative proceedings without the patient's authorization in response to a subpoena if the provider "receives satisfactory assurance … from the party seeking the information" that "reasonable efforts" have been made to "ensure" that the affected patient has been given notice or to secure a "qualified protective order." The patient asserted that the gynecology center's failure to insist on receiving such "satisfactory assurance" constituted negligence under Connecticut law.
Recognizing the well-settled rule that HIPAA does not create a private right of action, the trial court dismissed the plaintiff's negligence claims based on violation of HIPAA regulations on the ground that they were identical to a private claim for a violation of HIPAA and were therefore preempted by the federal law, which does not provide for a private remedy.
On November 11, 2014, the Connecticut Supreme Court reversed that ruling, holding that HIPAA did not preempt the patient's claims for negligence and negligent infliction of emotional distress arising out of the gynecology center's disclosure of her subpoenaed medical records in violation of HIPAA privacy regulations. Byrne is likely to spawn similar lawsuits in Connecticut and other jurisdictions because it provides a pathway to asserting state law negligence claims based on violations of HIPAA regulations.
The Byrne court recognized that HIPAA does not preempt state law provisions that provide "greater privacy protection for the individual" whose information is being disclosed. 45 C.F.R. § 160.202. The court concluded that this standard protected the patient's common law negligence claims because (i) a common law negligence claim may increase the privacy protections afforded to patients and, therefore, would not be contrary to or less stringent than HIPAA; and (ii) a damages award for negligence is not inconsistent with the penalty provisions under HIPAA.
Significantly, the court also concluded that, to the extent it has become the common practice for providers in Connecticut to follow the procedures required under HIPAA for protecting medical records, HIPAA and its implementing regulations could be used to inform the standard of care in a negligence claim arising out of the disclosure of medical records in compliance with a subpoena.
Because HIPAA requires covered entities, such as hospitals and physicians, to obtain satisfactory assurances that the patient has been notified or a qualified protective order has been sought before producing documents in response to a subpoena, a provider's response to a subpoena without receiving those assurances (or the patient's actual authorization) may give rise to a plaintiff's negligence claims, with the HIPAA requirements providing the standard of care. Byrne thus may have raised the stakes for hospitals and providers who might reflexively respond to a subpoena without following closely the HIPAA regulations. Byrne is the latest in a line of cases expanding the scope of HIPAA enforcement, and providers may want to consider consulting with legal counsel to determine the extent to which subpoena compliance is consistent with state privacy laws and HIPAA.