Connecticut Supreme Court Recognizes New Cause of Action for Patient Privacy Breach
Alerts
January 17, 2018
On January 16, 2018, the Connecticut Supreme Court issued a decision recognizing a common law duty of confidentiality arising from the physician-patient relationship, and the corresponding right of a patient to sue his or her physician for the “unauthorized disclosure of confidential information obtained in the course of that relationship.”[1] The facts of the case relate to a physician’s release of medical records in response to a subpoena, apparently without first obtaining the patient’s consent, obtaining a protective order, or notifying the patient in accordance with the regulatory procedures under HIPAA.
This case is significant because it provides yet another avenue by which physicians may be held liable for violating HIPAA. This is because the Court decided in 2014 that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records . . . .”[2] Thus, if physicians owe a duty of confidentiality to their patients and violating HIPAA is found to breach that duty, the Court held that patients now have the right to sue their physician for damages caused by a violation of HIPAA.[3] Whether a patient will be successful in such a lawsuit remains to be seen.
In the instant case, the defendant’s own admissions establish that it did not comply with the regulatory procedures imposed by HIPAA when it released the plaintiff’s medical record pursuant to a subpoena.[4] With this ruling, the Court is sending the case back to the trial court to determine whether those actions breach the longstanding, but newly recognized common law duty of confidentiality. While a finding that violating HIPAA necessarily breaches the duty of confidentiality is not certain, what is certain is that physicians in Connecticut who violate HIPAA are subject to potential liability from the federal government through the Office for Civil Rights, the state government through the Attorney General, and now from patients themselves.
Apart from HIPAA compliance, the Court leaves open the question of what else is required of physicians to comply with the common law duty of confidentiality. One unsettled question is whether it is possible that a physician could comply with HIPAA yet still breach Connecticut’s common law duty of confidentiality. Unfortunately, this case does not definitively answer that question. What this case does do, however, is serve as a reminder to physicians and their staff to remain vigilant in the pursuit of HIPAA compliance, both to protect patients’ privacy and to avoid legal liability from a growing cast of characters.
_______________
[1]Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 327 Conn. 540, 567–68 (2018).
[2]Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433, 459, 102 A.3d 32, 49 (2014).
[3] HIPAA itself does not allow individual patients to sue when physicians violate it, leaving enforcement up to the federal and state governments.
[4] Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 327 Conn. 540, 572 (2018).