On November 11, 2014, the Connecticut Supreme Court held in Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (“Avery Center”) (SC 18904) that the federal Health Insurance Portability and Accountability Act (“HIPAA”) does not preempt state common law negligence and emotional distress claims against medical providers who improperly breach the confidentiality of a patient’s medical records and that “HIPAA may inform the applicable standard of care in certain circumstances.” In reaching its decision, the high court reversed the trial court’s dismissal of plaintiff Emily Byrne’s state common law causes of action for negligence and negligent infliction of emotion distress against Avery Center for releasing information about her pregnancy without her authorization in complying with a subpoena in a paternity action. Although other states have reached similar holdings, the Connecticut ruling is notable in light of the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which expanded HIPAA liability to business associates. As such, covered entities as well as their business associates risk increased exposure under HIPAA and state laws, including negligence, invasion of privacy and state privacy claims.
The plaintiff brought four actions against the defendant: (1) breach of contract; (2) negligence in failing to use proper and reasonable care to protect her medical records; (3) negligent misrepresentation that her medical records would be protected according to the law; and (4) negligent infliction of emotional distress. The trial court denied Avery Center’s motion for summary judgment with respect to counts one and three and dismissed counts two and four for lack of subject matter jurisdiction holding that HIPAA does not create a private right of action and preempted the negligence-based state common law claims.
On appeal, the high court asserted that preemption applies only when a “state law” provision, which includes common law as defined at 45 C.F.R. § 160.202, is “contrary” to HIPAA, where “contrary” means that it is (1) impossible for a covered entity to comply with both the state and federal requirements; or (2) that the state law is “an obstacle” to federal purposes. Additionally, state laws that are “more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter” are exempt from preemption. In reviewing the regulatory history of HIPAA and its implementing regulations, the high court also concluded that HIPAA did not intend to preempt state tort actions resulting from unauthorized disclosure of protected health information. Accordingly, the court concluded that “private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers’ compliance with HIPAA”, which “may inform the relevant standard of care in such actions”. Although HIPAA does not provide a private right of action, the Avery Center case and cases like it recognize that HIPAA can be used by plaintiff attorneys to establish the standard of care in connection with negligence and other tort claims.