Patient Sues Clinician for Privacy Violation After Practice Responds to Subpoena

HIPAA does not create the right for an individual to sue, only to file a complaint with the government. However, some states have begun to look at whether a common law cause of action may exist when a health care provider reveals private health information.

A follow-up to this case was recently published here.

Patient privacy is an extremely important, yet poorly understood, issue. When the Health Information Portability and Accountability Act of 1996 (HIPAA) went into effect, it created privacy rules governing the protection of identifiable health information by health plans and health care providers. Patients who believe their health information was improperly revealed or wasn’t properly protected may file a complaint with the Health and Human Services Department (HHS), which will investigate and penalize the offender if warranted. But do patients have a right to sue healthcare providers for privacy violations? HIPAA does not create the right for an individual to sue, only to file a complaint with the government. However, some states have begun to look at whether a common law cause of action may exist when a healthcare provider reveals private health information. This month’s case deals with this very scenario and was decided earlier this year in the state of Connecticut.

The patient, Ms. B, had been seeing a physician, Dr. A, who was part of an obstetrics and gynecology practice. The practice provided its patients, including Ms. B, with notice of its privacy policy regarding protected health information and agreed, based on this policy and the law, that it would not disclose the patient’s health information without her authorization. During the time that Ms. B was going to the practice, she was having a relationship with Mr. M. This relationship led to a pregnancy, and Dr. A provided medical care for Ms. B during and after the pregnancy. When Ms. B’s relationship with Mr. M ended, she contacted Dr. A’s practice and instructed the practice not to release any of her medical records to Mr. M. A few months later, Ms. B moved to another state and stopped using Dr. A as her healthcare provider.

Some time after Ms. B left the state, Mr. M filed a paternity action against Ms. B, and as part of the case, Dr. A’s practice received a subpoena instructing the “custodian of its records” to appear before the issuing attorney in court and to produce “all medical records” pertaining to Ms. B. Rather than contact Ms. B, or send an employee to court to respond to the subpoena, or even contact its own attorney, Dr. A’s practice simply put Ms. B’s entire medical file in an envelope and mailed it to court.

According to Ms. B, her former boyfriend, Mr. M, used the information for harassment and extortion, and, she claimed, there was embarrassing information contained in the medical records having no relevance to the pending paternity suit. Furious, Ms. B hired an attorney and sued Dr. A’s medical practice for disclosing her protected health information. The gynecology practice hired an attorney who filed a motion to dismiss the case, based on the contention that HIPAA preempts any action dealing with confidentiality/privacy of medical information. The defendant medical practice noted that no Connecticut court had ever recognized a common-law cause of action against a healthcare provider for breach of its duty of confidentiality for its response to a subpoena.

Related Articles

The trial court agreed with the defendant and held that “common law privilege for communications made by a patient to a physician has never been recognized in this state.” In its decision, the judge wrote that the court declined “to establish a new cause of action which would have wide-ranging implications for the medical community.” The trial court noted that HIPAA does not create a private right of action, but instead requires that violations be pursued via administrative channels (ie: by filing a complaint with HHS). The case was dismissed.

Ms. B appealed this ruling.

Legal Background

On appeal, the Connecticut Supreme Court unanimously reversed the lower court’s decision. “The importance of confidentiality in the physician-patient relationship has been recognized by courts in numerous jurisdictions throughout the country,” wrote the court in its decision. Patients should be able to freely disclose their condition and symptoms to their doctors in order to receive treatment without fear that the facts will become public. The Connecticut Supreme Court looked at other jurisdictions and concluded that state law causes of action compliment HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance. The court concluded that:

A duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship for the purpose of treatment gives rise to a cause of action against the healthcare provider, unless the disclosure is otherwise allowed by law.

The defendant medical practice tried to argue that even if the court recognized a cause of action for breach of confidentiality, the case should be dismissed anyway because the medical records were disclosed in response to a subpoena. The court disagreed, and stated:

In the present case, there is a genuine issue of material fact as to whether the defendant violated the duty of confidentiality by the manner in which it disclosed the plaintiff’s medical records in response to the subpoena.

Accordingly, the case was remanded and sent back to the lower court for a trial on whether the way in which the medical practice complied with the subpoena was a violation of Ms. B’s confidentiality.

Protecting Yourself

This is an important case because it is a reminder that a patient’s privacy is paramount, and you cannot simply assume that because you received a subpoena, it is acceptable to turn over the patient’s medical records. In this case, the healthcare practitioner didn’t even properly comply with the subpoena. Instead of sending someone to court, as was required by the subpoena, the practice simply mailed the entire medical record. The medical practice could have contacted the patient to notify her and get her permission (or discover that it did not have her permission). The healthcare practitioner should have contacted the practice’s attorney to better understand what their duty was in response to the subpoena. Simply getting a subpoena will not give you blanket protection for violating a patient’s right to privacy and confidentiality – you can be sued, not to mention getting hit with administrative penalties if a HIPAA violation occurred. Always err on the side of caution when it comes to a patient’s records or private information. You can always provide more information, you can never take back what was already given.

A follow-up to this case was recently published here.