When Congress enacted HIPAA and its Privacy Rule in the mid-1990s, it was a big deal. Healthcare providers surely protected patient privacy in the pre-HIPAA days, but the federal statute gave them a standard set of rules with which to comply and a uniform referent against which to gauge their privacy practices. All told, HIPAA’s impact has been both pervasive and positive. Moreover, one of its lasting virtues is that, because the statute created no private right of action, you can’t get sued under HIPAA.
At least not directly. A plaintiff cannot file a complaint outwardly claiming damages for a “HIPAA violation,” but that has not stopped some state courts from permitting negligence claims using HIPAA to define a standard of care. The latest is Connecticut, whose Supreme Court recently created the new tort of “unauthorized disclosure of confidential information.”
The case is Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 327 Conn. 540 (2018) (to be published in A.3d), and its outcome will give healthcare providers in Connecticut even greater pause when producing medical records in litigation. In Byrne, the plaintiff/patient instructed the defendant healthcare provider not to release her medical records to her ex-boyfriend, who later filed a paternity action against the plaintiff. Id. at 542. The defendant healthcare provider then received a third-party subpoena in the paternity action ordering a records custodian to appear and produce the patient’s medical records, which the provider did by mailing records directly to the court a few days later. Id.
This is where Connecticut’s new tort comes in. Alleging that her ex-boyfriend viewed her records in the court file and then harassed her, the patient sued her doctor for breach of contract and negligence in multiple forms. Id. at 543-44. The trial court ruled initially that the negligence claims were preempted because the plaintiff was using HIPAA as the basis for her claims. Id. at 544-545. The Connecticut Supreme Court, however, reversed that order in 2014 and held that HIPAA did not preempt the claims. Given the purpose of HIPAA—i.e., to enact uniform rules—and the transparent nature of the plaintiff’s effort to enforce HIPAA through civil litigation that the statute does not permit, we would have criticized this ruling had we written on it when it came out in 2014.
But that is not today’s story. On remand, the trial court again ruled for the defendant and granted summary judgment on the basis that Connecticut law did not recognize a common law claim for breach of physician confidentiality. Id. at 548. On appeal, the Connecticut Supreme Court filled that gap:
We conclude that recognizing a cause of action for the breach of the duty of confidentiality in the physician-patient relationship by the disclosure of medical information is not barred by [Connecticut statutes] or HIPAA and that public policy, as viewed in a majority of other jurisdictions that have addressed the issue, supports that recognition.
Id. at 550. So Connecticut patients not only can sue their doctors now for negligently disclosing their medical information, but can do so for responding to a subpoena in a pending legal action.
The core of the opinion examines both federal law and other states’ laws to conclude that the “majority” support the new cause of action. On federal law, the Court held that HIPAA supported a common law claim because Connecticut doctors follow HIPAA anyway and that a state-law tort would support HIPAA:
We further conclude that, to the extent it has become common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.
. . . [N]egligence claims in state courts support at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care record.
Id. at *556-57.
As for other states’ laws, the Court surveyed state cases and found eight states that recognized comparable claims (although the one case cited from New York does not really say that) and four that did not. Id. at 557-68. In following the states that have recognized the tort, the Court cited various sources for the duty, including state licensing statutes, evidentiary rules governing privileged communications, common law “principles of trust,” and the Hippocratic Oath. Id. at 564.
We have a few questions about this new tort. First, it is highly questionable to cite federal law as “supporting” a civil action with HIPAA defining the standard of care. As even the Connecticut Supreme Court acknowledged, “It is by now well settled that the statutory structure of HIPAA . . . precludes implication of a private right of action.” Id. at 555. Having recognized this principle on the one hand, the Court should not have invoked HIPAA to support its new private right of action on the other.
Second, it stands out that the Court spent about nine pages discussing the state authorities that support its position, but dismissed the four states that reject the tort in a single paragraph and a single sentence of analysis: “[Connecticut statutes] created a broad physician-patient privilege, and, therefore, the rationale of these jurisdictions that decline to recognize a common-law action for breach of duty of confidentiality is not persuasive in Connecticut.” Id. at 567. More discussion of the contra authorities would have been helpful, especially considering that Connecticut is not unique in recognizing a physician-patient privilege.
Third, what are healthcare providers supposed to do? The ex-boyfriend served a subpoena, a court-issued document that millions of litigants rely on every day to obtain documents—including medical records. The Connecticut Supreme Court’s first reaction is to denigrate subpoenas. Connecticut law allows disclosure of medical records without patient consent only pursuant to “statute or regulation of any state agency or the rules of court.” Id. at 568. According to the Court, a “subpoena without a court order” is none of those things. Id. That leaves us scratching our heads, because subpoenas in our home state and also in federal court are authorized by statute and/or court rules. We would be surprised if the law of Connecticut were different.
The Court also placed great weight on the fact that the healthcare provider did not appear in person to produce the records and did not alert the patient/plaintiff or move to quash. Id. at 569-72. But even though subpoenas routinely order record custodians to “appear” with records, they almost never do. They make the records available for copying, or they mail them, which is what the healthcare provider did here. This strikes us as creating a new cause of action on the back of a technicality. As for the requirement that the provider alert the plaintiff or seek a judicial remedy, the Court cited federal regulations. So now we are back to enforcing HIPAA.
We sometimes advocate for a high regulation, low litigation approach to product liability, and that approach particularly suits the protection of private information. Healthcare providers take patient privacy seriously, and when pulled involuntarily into litigation, the rules they need to follow ought to be clear. Connecticut’s new tort does not advance that cause.