In a first-of-its-kind decision in the state, the Connecticut Supreme Court has ruled that patients can bring negligence lawsuits against health care providers that violate federal privacy regulations.
It took the state’s highest court nearly two years to rule on the issue, which will allow a Vermont woman’s lawsuit against a Westport gynecologist’s office to go to trial. The decision could also have national implications, according to legal experts with knowledge of the Health Care Portability and Accountability Act and also those involved with data breach cases.
The Connecticut case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology involved a patient who sued a health care clinic that released her medical records to a third party without her authorization. The plaintiff, Emily Byrne, claims that the Avery Center for Obstetrics and Gynecology in Westport released private information about her pregnancy to the father of the child Byrne delivered in 2005, against her instructions.
The center moved to block the lawsuit on the grounds that the language in HIPAA precludes individual liability claims. The center’s lawyer, James Rosenblum of Stamford, also argued that no negligence lawsuit could be brought because the administrative remedies had not been exhausted. The center won a decision in Superior Court, which led to an appeal to the Supreme Court by Byrne’s lawyers.
In its unanimous Nov. 4 decision authored by Justice Flemming Norcott Jr., the court determine that “neither HIPPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of the plaintiffs medical records.”
The ruling said such claims can be pursued in civil lawsuits if the plaintiffs can show the “generally accepted standard of care” under was not followed. In the ruling, which follows similar decisions in other states, including Missouri, West Virginia and North Carolina, the court found there is evidence that the standard of care was not followed in Byrne’s case. Specifically, the decision said, Byrne was never informed of the request for her records made by Andro Mendoza, her former boyfriend. And the records he was provided were beyond what he requested.
“Before this ruling, individuals could not file a lawsuit claiming violation of their privacy under the HIPAA regulations,” said Byrne’s lawyer, Bruce Elstein, of Goldman, Gruder & Woods. The lawsuit will now be placed on a trial docket in Bridgeport Superior Court, and the plaintiff will be permitted to pursue her claim that the medical office was negligent for releasing her records.
According to the lawsuit, Byrne learned she was pregnant in late 2004. “Shortly afterward, she called the Avery Center and instructed them not to release any of her medical information to the father of the child, with whom she was no longer in a relationship,” Elstein said. “This request was well within her rights s protected under the HIPAA act.”
But the center responded to a subpoena by Andro Mendoza, who had filed a paternity suit against Byrne and released her medical records. Elstein said while the HIPAA does not itself allow for negligence claims, he argued before the Supreme Court that such claims should be pursued if the standard of care was not followed, which the court found was the case here.
The only other time the issue was raised was in 2007, in a case called Fisher v. Yale. The Connecticut Supreme Court in that case ruled that a Connecticut Unfair Trade Practices Act claim could not be pursued against medical office that released records without a patient’s permission. The court also ruled that negligence claims in those instances were not permissible because of administrative remedies provided under HIPAA. “This decision reverses that holding,” Elstein said.
Elstein said that while the decision has been pending, he’s been approached by “six to 12″ Connecticut lawyers who told him they have potential lawsuits involving medical records that were improperly released in violation of HIPAA. “People have been asking me if they can sue for HIPAA violations, and my answer up until now has been, ‘Stay tuned,’” he said. “But my answer today to that question, is ‘yes.’”
He expects to see “quite a bit of litigation” to follow as a result of the ruling from plaintiffs who did have a claim before the decision. “What this really means,” he said. “Is patients will be better protected as medical offices learn to comply with what HIPAA requires.”
He expects the case against Avery will go to trial some time next year.