A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context.
Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case,Byrne v. Avery Center for Obstetrics & Gynecology, P.C.,1 should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information. Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action. While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year. But most of the litigation to-date has centered on a plaintiff’s ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies. Invasion of privacy claims frequently fail for lack of “publication,” and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing.
Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach. In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.
The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise.2 More specifically, addressing the state statutory negligence claim, the court wrote that “[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA.” Similarly, the trial court opined that if “common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA’s preemption rule” and “[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply.” The court further ruled that insofar as the doctrine of negligent infliction of emotional distress “permits a private right of action for HIPAA claims” it is also is preempted by HIPAA.
The Connecticut Supreme Court reversed the trial court’s decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not “contrary” to HIPAA, but either complementary or “more stringent.”3 Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable” in state-law negligence actions.4 In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.5
These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray.
It is important to note that the Connecticut Supreme Court in Byrneassumed, without holding, that Connecticut’s common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute. Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become “common practice” for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty.
Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.