As health care providers increasingly utilize electronic medical records to provide care for patients, they are finding themselves under attack by cyber criminals. Take, for example, the recent attack on Anthem Blue Cross Blue Shield that resulted in approximately 80 million health records being accessed or stolen by hackers looking to gain access to personal identifies and other protected health information (PHI). In light of the sensitive and personal data most health care providers now maintain for their patients in electronic form, the number of such cyber attacks can only be expected to increase.
For years, health care providers have structured their cyber security policies to comply with the mandates of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Moreover, providers have been successful in avoiding private state law claims for alleged privacy violations since HIPAA does not provide for a private right of action. As the number of hacking incidents continues to increase, however, courts are beginning to revisit the issue of HIPAA preemption. Indeed, in recent years, some courts have been willing to allow plaintiffs to bring claims for negligence asserting various privacy violations against health care providers under state law, and thereby, these courts have rejected the providers’ arguments that federal law and regulations preempts such claims.
In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2014), the Connecticut Supreme Court recently held that HIPAA does not preempt negligence claims brought under state law against a health care provider that improperly disclosed a patient’s medical records when responding to a subpoena. Emily Byrne, a patient at the Avery Center for Obstetrics and Gynecology (“Avery Center”), instructed her doctor not to provide her protected health information (PHI) to her estranged significant other, Andro Mendoza. Subsequently, Mendoza filed a paternity suit against Byrne and served a subpoena on Avery Center requesting Byrne’s medical records. Avery Center turned the requested records over to the court without notifying Byrne or taking other protective action.
Byrne filed an action against Avery Center alleging four causes of action, all based upon state common-law: (1) breach of contract; (2) common-law negligence; (3) negligent misrepresentation; and (4) negligent infliction of emotional distress. She based her negligence-type claims on Avery Center’s failure to comply with HIPAA’s Privacy Rule insofar as Avery Center responded to Mendoza’s subpoena without notifying Byrne, or filing a motion to quash the subpoena, or appearing in court. The trial court dismissed Byrne’s negligence claims, correctly observing that there is no private right of action under HIPAA, and ruling that her claims were therefore preempted.
The Connecticut Supreme Court reversed the trial court’s dismissal, holding that “the regulatory history of HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.” Finding support for its conclusion in federal and state court decisions across the country, the Byrne Court stated that HIPAA does not preempt causes of action “arising from health care providers’ breaches of patient confidentiality in a variety of contexts.” The court also found that HIPAA only preempts “contrary state laws”; in other words, preemption applies when it would be impossible for a covered entity to comply with both state and federal laws at the same time. Moreover, the court considered whether, similar to cases interpreting federal preemption in the context of the Occupational Safety and Health Act of 1970, HIPAA can inform the standard of care in state cases alleging negligent disclosure of PHI. The court did not specifically rule on whether HIPAA can inform the standard of care because the issue was not specifically briefed by the parties. Nonetheless, the court concluded that negligence lawsuits under state law alleging improper disclosure of PHI are permissible and support HIPAA’s goals by establishing another “disincentive to wrongfully disclose a patient’s health-care record.”
The New Jersey Supreme Court has yet to rule on whether HIPAA preempts state common-law negligence claims for improper disclosure of PHI, but the Byrne decision, along with similar decisions in several other states, has significant consequences for health care providers that suffer data security breaches. AlthoughByrne can be distinguished factually because it involved a negligent failure to properly respond to a subpoena for PHI, rather than hacking by third parties, its reasoning is arguably applicable to cases involving any kind of data breach because of HIPAA’s data security regulations. HIPAA’s Security Rule requires health care providers and their contractors to ensure that electronic PHI (ePHI) is protected by administrative, physical, and technical safeguards. Administrative safeguards include, among other things, providing training and supervision to employees, and restricting access to ePHI only to those employees who require such access. Physical safeguards consist of equipment specifications, computer backups, and access restrictions. In addition to the possible negligence claims from patients discussed above, covered entities that fail to meet these data security standards can be subject to stiff fines and, in egregious cases, even criminal prosecution.
New Jersey courts are likely to be persuaded by the Byrne decision and others like it that provide a role for state laws and state courts in protecting the disclosure of PHI, even when such disclosure is the result of hacking by a third party. Successfully defending against such claims will depend on whether health care providers who rely on electronic medical records invest in protective technologies, implement policies and procedures to deter hackers and limit unauthorized access to ePHI, and take any and all other reasonable steps to secure patients’ electronic medical records from improper access and disclosure.