In a recent opinion, the Connecticut Supreme Court determined that state law claims based on violations of the Health Insurance Portability and Accountability Act (HIPAA) were viable.
The plaintiff in Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (Conn. 2014) was involved in a paternity suit and requested that the defendant, her medical provider, not produce any records to her former lover. However, the defendant was served with a subpoena from the ex-lover, and produced the documents to the court without plaintiff’s knowledge. See id. at 437. The plaintiff sued the medical provider after she began experiencing harassment from her ex, who was able to review the medical records. See id. In the four-count complaint, the plaintiff alleged breach of contract, negligence, negligent misrepresentation, and negligent infliction of emotional distress. See id. at 438-439. In particular, she alleged that the defendant violated HIPAA by producing medical records without authorization.
The court determined that “the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records. As the plaintiff aptly notes, one commenter during the rulemaking process had raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.” Id. at 453. Accordingly, the court found that HIPAA did not preempt state law claims for alleged breaches of confidentiality. See id. at 459. However, the court declined to find, as a matter of law, whether the defendant was negligent in producing the medical documents, and remanded to the trial court for further proceedings.