Another State Rules That Patients Can Sue For Negligence for Violating HIPAA Regulations

The Connecticut Supreme Court has now joined Missouri, West Virginia and North Carolina in rulings connecting HIPAA with negligence lawsuits by patients.

In a case of first impression in Connecticut, the state’s Supreme Court ruled that a patient can sue a medical office for HIPAA negligence if it violates the patient’s privacy when improperly releasing the medical records to a third party. There is no dispute that HIPAA does not create a private cause of action. Increasingly, however, HIPAA can provide the standard of care for a medical office in how it releases confidential medical records and can be found negligent if it releases such medical records contrary to the requirements of the HIPAA regulations.

In the Connecticut case Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C., Byrne, after learning she was pregnant in 2004, reportedly instructed the Avery Center not to release any of her medical information to the father of the child with whom she was no longer in a relationship. However, in response to a subpoena from the presumed father, the Avery Center released the information. Furthermore, according to the allegations, the Avery Center failed to make any attempt to notify Byrne of the subpoena or to seek guidance from the court on the disclosure to be made. The Connecticut Supreme Court ruled that a violation of HIPAA regulations may constitute a violation of generally accepted “standards of care,” and remanded the case back to the lower court for trial. It is not clear yet how the case will play out in the lower court.

Likewise, the West Virginia Supreme Court of Appeals ruled that hospitals and other health care providers are subject to suit for damages where medical records are released in violation of HIPAA regulations. In the West Virginia case, the Court rejected the argument that HIPAA and its extensive regulations did not provide for suit for damages over release of records, and, therefore, pre-empted any such actions under state law.

Similarly, in I.S. v. Washington University, a Missouri case, I.S. alleged that she had been treated at Washington University for colon cancer and requested that Washington University forward only the dates of the colon cancer treatment to her employer to satisfy company medical leave policies. Instead, without any authorization from I.S., Washington University forwarded I.S.’s employer a set of her medical records, including information regarding HIV status, mental health issues, and insomnia treatments. One count of the resulting complaint against Washington University included a state claim for “negligence per se.” Washington University moved to dismiss the claim for negligence, arguing that the negligence claim is was a thinly disguised attempt to bring a private cause of action for violation of HIPAA. I.S. responded that HIPAA simply “provides a standard of care by which to adjudge the defendant’s negligence.” The court held that the negligence count may stand as a state claim for negligence per se, despite its exclusive reliance upon HIPAA. (2011 WL2433585, June 14, 2011)

These cases show that despite the fact that HIPAA does not create a private cause of action, courts across the country seem to be moving in the direction of allowing HIPAA to be cited as an element of a claim under state law for negligence and/or negligence per se.