This week, the Connecticut Supreme Court issued an opinion which upheld a state common law negligence action against a healthcare provider for violation of privacy and confidentiality laws and regulations using as evidence of the standard of care the Health Information Portability and Accountability Act (HIPAA) and its accompanying regulations. The court denied defense arguments that HIPAA, which expressly does not provide a private right of action, preempts such state law negligence claims.

The plaintiff was a patient of the defendant and had been provided with a copy of defendant’s privacy policy, which provided that protected health information would not be released or disclosed without the patient’s authorization. Shortly thereafter, the plaintiff’s ex-boyfriend filed suit against the plaintiff and served defendant with a subpoena requesting patient’s medical records. Defendant responded to the subpoena by filing the plaintiff’s medical record with the court, but did not notify the plaintiff. The plaintiff alleged that, as a result of this disclosure, she suffered harassment and extortion from her ex-boyfriend. The trial court initially ruled for the defendants, stating that HIPAA preempted any state statutory or common law claims related to HIPAA violations.

While acknowledging that it was “well settled” law that HIPAA creates no private right of action, the Connecticut Supreme Court reversed the trial court’s decision, noting that the plaintiff was not asserting a statutory right or a private right of action under HIPAA, but rather was making a common-law negligence claim with HIPAA informing the standard of care. The court, in reviewing HIPAA’s preemption provisions, which apply to “contrary” provisions of state law and exempt “more stringent” state laws, concluded that HIPAA did not preempt a state common law theory of negligence. the court found that HIPAA was appropriately used to inform the standard of care applicable to such a negligence theory on the basis that HIPAA now sets standards for health information privacy and confidentiality among health care providers,. The court was able to identify multiple decisions in both federal and state courts throughout the country which came to similar conclusions regarding HIPAA’s failure to preempt common law claims of negligence.

This is an important decision that reflects how HIPAA non-compliance or breach can be used to establish claims of negligence based on breach of applicable standards of care extending to not only “covered entities” such as health care providers, insurers or clearinghouses, but also those organizations that do business with Covered Entities as Business Associates. Based on the Connecticut decision and other similar cases throughout the country, there is a likelihood we will see an increased number of claims using state common law negligence actions based on unauthorized release or disclosure of the plaintiff’s protected health information, or even an inadvertent breach, if appropriate physical and technological safeguards were not in place as required by federal and state privacy laws.

The case is Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (SC 18904).