The Health Insurance Portability and Accountability Act has no private cause of action. Because of this, patients cannot sue healthcare providers for privacy violations. But a number of states, such as New York, Massachusetts and Missouri, have rulings that allow patients to file lawsuits against healthcare organizations for unauthorized disclosures of medical records.
The Connecticut Supreme Court made a ruling recently that permits Connecticut residents to file lawsuits to seek damages from negligent disclosures of medical records. The Court recognized the need for a “duty of confidentiality” in physician-patient relationships. A breach in patient’s PHI and privacy can lead to compensation for damages. The legal precedent for this ruling was in the case Byrne versus Avery Center for Obstetrics & Gynecology (ACOG). Emily Byrne sued ACOG for disclosing her medical records to a man seeking to have custody of her child in a paternity suit.
The Court issued a subpoena for ACOG to appear before a lawyer and provide Byrne’s medical records. But ACOG did not appear and just mailed a copy of the medical records to the New Haven Regional Children’s Probate Court. Without limiting the disclosure of information, the man seeking custody of her child got hold of the records.
Byrne and her lawyer Bruce L. Elstein pointed out ACOG’s negligence in disclosing her medical records and breach of contract. But ACOG argued that patient consent was not necessary if the disclosure of medical records is a response to a subpoena. Byrne replied that HIPAA implements a standard of care for the medical records of patients. When ACOG released her records, it violated that standard. The Superior Court ruled in favor of ACOG based on the HIPAA rule that private suits are not allowed to file a lawsuit against healthcare providers for privacy violations.
Byrne submitted an appeal and the Supreme Court approved the appeal. In 2014, the Court ruled that HIPAA serves as a standard of care that could be used for common law claims. For a second time, the Supreme Court heard the case and disagreed with ACOG’s argument that patient consent is not necessary when disclosing medical records in response to a subpoena. The federal laws actually require the provider to get “satisfactory assurances,” which means the patients must be notified about the request for medical records. In this case, the defendant ACOG failed to do what is required.