This month we revisit a very important privacy case which held that a violation of medical privacy under HIPAA could lead to tort liability under state law. The case lingered in the courts for a total of almost 12 years, reaching the state supreme court twice, and set new precedent recognizing a cause of action for patients who have been harmed by the unauthorized disclosure of private medical information.
The plaintiff in the case, Ms. B, was a patient of a physician who was part of an obstetrics and gynecology practice. When Ms. B discovered she was pregnant, she sought care from the practice, but asked them not to reveal any medical records to her former boyfriend, Mr. M. Sometime after the baby was born, Ms. B moved away and stopped using the practice. However, her former boyfriend, Mr. M, filed a paternity action and subpoenaed the practice, instructing the “custodian of its records” to appear before the issuing attorney in court and to produce “all medical records” pertaining to Ms. B.
Rather than notify Ms. B, consult its attorney, or send an employee to court, the practice simply put all of Ms. B’s medical records in an envelope and mailed them to court, where Mr. M was able to access the information. According to Ms. B, her former boyfriend used the information to harass and extort her, and that embarrassing information had been provided by the practice that had nothing to do with the paternity issue. Ms. B instituted a lawsuit against the Ob/Gyn practice.
Over the course of the next decade, the case was in and of court. Originally it was dismissed, with the trial court holding that although this was a HIPAA violation, HIPAA does not create a private right of action, but instead requires that violations be pursued via administrative channels by filing a claim with the Department of Health and Human Services.
The case was appealed to the supreme court of the state, which held that HIPAA does not preempt a common law cause of action for negligence if a healthcare provider breached its duty of confidentiality in complying with a subpoena. The case was remanded to trial court again, where the judge dismissed most of the claims, holding that no courts in Connecticut had recognized or adopted a common law privilege for communications between a patient and physicians.
Ms. B appealed again, and finally in 2018, the state supreme court released its landmark ruling, holding that “a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship for the purpose of treatment gives rise to a cause of action against the healthcare provider, unless the disclosure is otherwise allowed by law.”
The supreme court recognized that there was a genuine issue of material fact as to whether the practice had violated its duty of confidentiality by the way it responded to the subpoena, and whether Ms. B had been harmed by this. We looked at this decision in the article Patient Sues Clinician for Privacy Violation After Practice Responds to Subpoena, published in April 2018.
At that time, the state supreme court noted the importance of physician-patient confidentiality. “When that confidentiality is diminished to any degree, it necessarily affects the ability of the parties to communicate, which in turn affects the ability of the physician to render proper medical care and advice,” wrote the court in its decision which recognized a common law cause of action for negligent disclosure of confidential health information. The court remanded the case back down to the lower court for a trial on whether the practice breached Ms. B’s confidentially with its response to the subpoena.