Since the implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003, injured or wronged individuals (and their lawyers) have been looking for ways to bring claims against healthcare providers and others who engaged in activities that appeared to violate these rules. Because HIPAA does not provide a private cause of action, most of these efforts have been unsuccessful. But, a recent decision by the Connecticut Supreme Court has given new hope to these claimants, although there is still a long way to go before individuals can prove their claims in court.
In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., SC 18904, (November 11, 2014), the Connecticut Supreme Court addressed the question of whether the HIPAA rules preempt an individual’s state common law causes of action for negligence or negligent infliction of emotional distress against a healthcare provider based on an alleged violation of the provider’s duty of confidentiality.
The court looked at two issues: (1) Was the claim preempted? And, (2) did the HIPAA rules provide an “applicable standard of care” that could be applied in the common law claim?
The individual in question, the plaintiff-patient, had been treated by the practice. During the course of her treatment, the plaintiff ended a relationship with another individual. That individual, the potential father of the patient’s child, subsequently filed a paternity action against the patient and served a subpoena on the healthcare provider seeking certain medical records. The provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court.” Instead, the provider mailed a copy of the records to the court. These records were subsequently made available to the potential father in the paternity case, presumably by the court.
The patient alleges in the current action that she suffered “harassment and extortion threats from [the potential father] since he viewed her medical records.” She brought suit against the healthcare provider claiming, among other things, that the provider “acted negligently by failing to use proper and reasonable care in protecting her medical file” and “engaged in conduct constituting negligent infliction of emotional distress.” (Certain other claims were not at issue in the Supreme Court’s opinion.)
The Supreme Court’s decision is straightforward. It concluded that:
… to the extent that Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA does not preempt the plaintiff's state common-law causes of action for negligence or negligent infliction of emotional distress against the health care providers in this case and, further, that regulations of the Department of Health and Human Services (department) implementing HIPAA may inform the applicable standard of care in certain circumstances.
The preemption element is not surprising. The court noted that “the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff's medical records.” While the HIPAA preemption provisions can be very confusing, the core idea is that the HIPAA rules set a standard “floor” for individual privacy rights and preempt state laws that go below that floor. If a state law provides “more stringent” protections, those state laws remain in effect. The idea that the HIPAA rules, therefore, would preempt an entire line of common law tort claims for any defendant who happens to be covered by the HIPAA rules would be an extremely broad conclusion that would protect the provider, not the patient. Therefore, this kind of claim can go forward in Connecticut, and presumably in other states where such claims exist.
Therefore, while the Byrne decision provides an important opportunity for individuals affected by allegedly improper activities of healthcare providers, this case does not lead to the conclusion that providers will now lose significant litigation matters. The Byrne decision does not even resolve the question as to whether Connecticut law permits such a claim. As the Court made clear, it was “assuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising out of a health care providers’ breaches of patient privacy in the context of complying with subpoenas.” The court’s only conclusion is that “if Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”
The Byrne decision DOES NOT (1) decide that such a claim exists; (2) reach any conclusion whatsoever that the provider did anything to violate HIPAA’s standards or breach any duty under common law to the patient, or (3) determine that there were any kind of compensable damages. These elements of the case will move forward following the court’s determination.
Therefore, this decision is only the most recent and perhaps the most significant (because it is a state supreme court) decision addressing questions about (1) whether the HIPAA rules can provide a potential basis for a determination that state common law was violated, and (2) permitting these claims to move forward without any preemptive effect from HIPAA. For a potentially wronged individual, this is an important first step, but it is only a first step. The plaintiff will still need to demonstrate that such a claim exists, prove that the elements of the claim (under standard common law tort principles) occurred and then demonstrate specific damages.
Obviously, this case presents some new opportunities for potentially wronged individuals and creates some new concerns for healthcare providers and others covered by the HIPAA rules. Neither side should overreact to this decision. Plaintiffs now can move a claim forward, but still have a long way to go to prove their case. In addition, while this kind of claim may end up moving forward in situations involving specific tort injuries suffered by individuals, these “common law claims” do not typically lend themselves to class action status or more broad based claims. Even for individuals, there will always be a challenge to provide actual damages from the allegations.
For healthcare providers and others covered by the HIPAA rules, this should serve as an important reminder that (1) compliance with the HIPAA rules is important; (2) the purpose of the HIPAA rules are to protect the privacy rights of individuals, and that (3) the HIPAA rules do not give healthcare providers a “get out of jail free” card in the event that their actions (or inactions) can be proven to be below a standard of care and cause compensable injury to an individual.
As these claims move forward, in Connecticut or in other states, we also will need to watch closely how the “standard of care” component of these claims is evaluated by courts, primarily through state law judges. Obviously, state court judges will not have the experience in interpreting these rules as the enforcement agency would, and they present a potential wild card in applying these rules and principles in the context of a tort suit. Keep in mind that these suits will typically arise in situations where something already has gone wrong. We know that HIPAA does not require perfection and that key components of HIPAA include both reasonable policies and procedures and effective mitigation steps to address any inappropriate actions. The relevant enforcement agency applies this principle generally. What we do not know is how a judge will apply these ideas in a situation where an individual has suffered at least some kind of injury as a result of the provider’s actions.
In this case, for example, it is not clear from the facts whether the provider violated the HIPAA rules at all or had a reasonable basis for its actions in the circumstances. On a broader basis, we should be concerned about how the HIPAA rules will be interpreted in the context of state court common law claims, under a general common law tort system. Many tort claims (such as the typical claim for intentional infliction of emotional distress in the Byrne case) require that a defendant act (1) intentionally or recklessly, and that (2) the defendant's conduct must be extreme and outrageous. We should hope that these standards will be applied in a way that does not require HIPAA perfection, but the Byrne case takes these claims one step closer towards this difficult analytical challenge.