In an opinion published on November 11, 2014, Connecticut joined a growing number of jurisdictions that have found that state law causes of action based on a health care provider’s unauthorized disclosure of a patient’s medical records are not preempted by the Health Insurance Portability and Accountability Act (“HIPAA”). The Connecticut Supreme Court held that HIPAA does not preempt a plaintiff’s state common law causes of action against a health care provider for negligence and negligent infliction of emotional distress. Further, the court stated that HIPAA’s implementing regulations may inform the standard of care for these state law claims.
Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a health care provider’s disclosure of a patient’s medical records in response to a subpoena. The plaintiff, Emily Byrne, received gynecological and obstetrical services from the defendant, Avery Center for Obstetrics and Gynecology, P.C. After the plaintiff ended a relationship with a man named Andro Mendoza, Mendoza filed several paternity suits against her. In connection with the paternity suits, the defendant was served with a subpoena for the plaintiff’s medical records. Instead of seeking the plaintiff’s authorization to disclose the records, obtaining a protective order, or filing a motion to quash, the defendant mailed a copy of the medical records to the court. Before the plaintiff was able to file a motion to seal her records, Mendoza viewed them. The plaintiff alleged that she suffered harassment and extortion threats from Mendoza after he viewed her medical records, and that Mendoza was able to use the information to file several civil actions, including paternity and visitation actions.
On motions for summary judgment by both parties, the trial court dismissed the plaintiff’s claims alleging the defendant (1) acted negligently by failing to use proper and reasonable care in protecting her medical file; and (2) engaged in conduct constituting negligent infliction of emotional distress.1 The trial court noted that it is well-settled that HIPAA does not provide a private right of action and agreed with the defendant that “HIPAA preempts ‘any action dealing with confidentiality/privacy of medical information.’” The plaintiff appealed.
The Connecticut Supreme Court reversed the trial court, noting that HIPAA preempts state laws that are “contrary” to HIPAA, but that it is “well established that, ‘ordinarily, state causes of action are not [preempted] solely because they impose liability over and above that authorized by federal law.’” The court looked to general federal preemption concepts, HIPAA’s regulatory history, and decisions from federal and state courts holding that HIPAA does not preempt “causes of action, when they exist as a matter of state common or statutory law, arising from health care providers’ breaches of patient confidentiality” to come to its decision. The court went on to find that “to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients' medical records pursuant to a subpoena.”
Although the Byrne case involved an individual plaintiff, class action suits involving data breaches have also alleged similar state law claims. For example, in In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, the plaintiffs alleged that HIPAA helped to establish SAIC’s duty of care for state tort law claims, including negligence and invasion of privacy, and that a failure to ensure HIPAA compliance supported their breach of implied contract claim against SAIC. In that case, a thief broke into a car belonging to an SAIC employee and stole several backup tapes containing medical records of 4.7 million members of the U.S. military and their families enrolled in TRICARE health care, resulting in the largest HIPAA breach in history. Because the court dismissed the majority of the plaintiffs from the case for lack of standing, it did not address whether HIPAA preempts state law claims or can be used to establish a duty of care for tort claims. However, the Byrne decision and others like it will only incentivize more private lawsuits (including class actions arising from large data breaches) alleging state law claims in HIPAA breaches.