Federal HIPAA Privacy Rule Provides Standard of Care for State Common Law Breach of Medical Confidentiality And Potentially for Class Action Claims of Data Breach

by John Zen Jackson

In an opinion filed November 11, 2014, the Supreme Court of Connecticut held that to the extent that state law recognized a cause of action for breach of a health care provider’s duty of confidentiality in responding to a subpoena issued in connection with private litigation involving the patient, such a cause of action was not preempted by the provisions of the HIPAA Privacy Rule.  The HIPAA regulations, however, could inform the standard of care applicable to such a claim.  The Supreme Court reversed the dismissal of the negligence counts alleging breach of confidentiality and remanded the matter for further proceedings.  Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 2014 WL 5507439 (Conn. 2014).

The plaintiff in Byrne had been a patient of the OB-GYN group and had received a copy of its Notice of Privacy Practices which included a representation regarding non-disclosure of protected health information without her authorization.  The patient had been in a relationship with one Andro Mendoza which ended.  She directed the OB-GYN group to not release any of her information to Mr. Mendoza.  The man filed paternity actions and issued a subpoena to the OB-GYN group for medical records.  The OB-GYN group did not alert the patient to receipt of the subpoena or move to quash it or appear in court in response.  Rather, it mailed a copy of the patient’s medical file to the court.  The records were not placed under seal but were made available to Mendoza for review.  The plaintiff alleged that she had been harassed by Mendoza and received extortionate threats from him following his accessing her medical records.

On motions for summary judgment, the trial court had concluded that there was no private right of action under HIPAA and that the Federal regulations preempted any basis for action in the state court.  In its opinion, the Connecticut Supreme Court acknowledged the now well established proposition that HIPAA did not provide for a private right of action and indeed the concession in this regard by plaintiff.  However, it emphasized that the cause of action was not based on HIPAA but would use the HIPAA regulations as evidence of the proper standard of care.  “[T]o the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”  The court concluded that common-law negligence actions, with HIPAA informing the standard of care, did not obstruct, preclude, conflict with, or complicate health care providers’ compliance with HIPAA for preemption purposes. On the contrary, it stated:  “[N]egligence claims in state courts support ‘at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s health care record.’” (Quoting Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 50 (Minn. App. 2009).

In a pre-HIPAA opinion by Judge Philip Carchman, the New Jersey Appellate Division identified a cause of action in tort under state law for improper disclosure of medical records in response to a subpoena where there had not been compliance with the procedural requirements for the subpoena and, as in Byrne, the health care provider had simply mailed the requested records – although directly to the attorney issuing the subpoena.  Cresceno v. Crane, 350 N.J. Super. 531 (App. Div.), certif. denied, 174 N.J. 364 (2002).  There is no published opinion from a New Jersey court that directly addresses this issue in light of HIPAA.  In Smith v. American Home Products, 372 N.J. Super. 105 (Law Div. 2003), Judge Marina Corodemus rejected a contention by plaintiffs that the HIPAA regulations preempted the informal discovery procedures permitted by state law but acknowledged certain additional procedural safeguards to be HIPAA-compliant.

In a posting in July of this year, we had noted the developing groundswell of decisions utilizing HIPAA violations as a basis for a cause of action arising under state law.  The Connecticut decision joins a number of jurisdictions that now include decisions from the highest court in North Carolina (Acosta v. Byrum, 638 S.E.2d 246 (N.C. 2006)) and West Virginia (R.K. v. St. Mary’s Medical Center, 735 S.E.2d 715 (W.Va. 2012), cert. denied, 133 S.Ct. 1738 (2013)); as well as lower court decisions in Missouri, Minnesota, and Tennessee.  These lower court decisions are collected in the R.K. opinion.

Building on the R.K. precedent and the use of HIPAA as a standard of care for breach of medical confidentiality, West Virginia had expanded the existence of that cause of action into a basis for a data breach class action in its opinion in Tabata v. Charleston Area Medical Center, 759 S.E.2d 459 (W.Va. 2014), which was featured in our July blog posting.  The court found that this was sufficient “injury in fact” to sustain the putative class claim.  Two recent Illinois decisions reached the seemingly opposite conclusion in HIPAA data breach claims arising – once again – out of the loss of unencrypted laptop computers.  In Vides v. Advocate Health & Hospitals, Case No. 13-CH-2701 (Ill. Lake County Cir. Ct. May 27, 2014), and in Maglio v. Advocate Health & Hospitals, Gen. No. 13 L 538 (Ill. Kane County Cir. Ct. July 10, 2014) the court granted motions to dismiss a putative class action arising out of a data breach, holding that the recent United States Supreme Court decision in Clapper v. Amnesty Int’l, Inc., 133 S.Ct. 1138 (2013), compelled “rejection of Plaintiffs’ argument that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing.”  The potential for future injury was deemed too speculative to sustain the cause of action.  The Illinois decisions are in line with the overall consensus regarding data breach cases that putative class members lack standing where there is only a possible future risk of harm and cannot show an injury-in-fact.  It remains to be seen if the notion of the more focused concept of breach of medical confidentiality as injury will be widely accepted as conferring standing and liability on a class basis for a HIPAA breach.