State Court Cases Address Liability for HIPAA Privacy Violations

Several recent state court decisions involving HIPAA privacy violations are raising serious questions regarding liability on behalf of healthcare providers as well as hefty monetary damage awards. While HIPAA itself does not provide a private cause of action for privacy violations, these recent decisions reveal that privacy breaches can form the basis for state law claims brought by patients or customers against healthcare providers.

In a recent Connecticut case, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the plaintiff began a personal relationship with an individual that ended after several months in 2004. Shortly after their relationship ended, the plaintiff advised Avery Center for OB GYN (Avery Center) not to release her medical records to the individual. In May 2005, the individual instituted a paternity action against the plaintiff. In connection with the paternity action, Avery Center was served with a subpoena for the plaintiff’s medical records. Avery Center did not alert the plaintiff of the subpoena, file a motion to quash or appear in court; instead it sent a copy of Byrne’s medical file to the New Haven Regional Children’s Probate Court. Several months later, the individual advised Byrne that he had reviewed her medical records in the court file, after which Byrne then filed a motion to seal her medical records. Byrne subsequently brought suit against Avery Center alleging, among other things, negligence for failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of HIPAA, and breach of contract for violating its privacy policy. With respect to the negligence claims, the trial court concluded that HIPPA preempted any action dealing with confidentiality/privacy of medical information and dismissed the claims. The plaintiff appealed, claiming that the trial court improperly determined that HIPAA preempted her negligence based state law claims.

The Connecticut Supreme Court concluded that “….HIPAA, and particularly its implementation through the Privacy Rule regulations, does not preempt causes of action, when they exist as a matter of state common or statutory law, arising from health care providers’ breaches of confidentiality in a variety of contexts.” In reaching this conclusion the court considered the regulatory intent of administrative commentary to the HIPAA final rule in which the Department of Health and Human Services responded to a question stating that “the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions.” Further the Court found that several other courts “….have determined that HIPAA may inform the relevant standard of care in such actions.” Thus a breach of the HIPAA Privacy Rule may serve as the underlying basis for a finding of a breach of a duty of care in a state court negligence action. As reported by MedCity News, Connecticut now joins at least nine other states in recognizing that while HIPAA does not offer a private cause of action for privacy violations, it does provide a standard against which a party’s actions will be judged. The Connecticut Supreme Court remanded the case to the trial court and permitted the plaintiff to proceed with the negligence claim.

This case raises concerns for HIPAA covered entities and business associates, demonstrating that privacy violations are not only enforceable by the Office of Civil Rights or the state attorney general, but may also form the basis for a lawsuit brought by the patient. The Byrne case involved a healthcare provider’s response to a subpoena requesting protected health information (PHI). While HIPAA includes specific rules about responding to subpoenas, state law may also impose distinct limitations on the disclosure of medical information in the context of a subpoena. We recently examined this issue in the context of Michigan law when responding to subpoenas and warrants for PHI in a white paper for the State Bar of Michigan’s Health Care Law Section. Healthcare providers are advised to understand the legal considerations, both state and federal, of responding to a subpoena or risk facing considerable consequences for an impermissible disclosure.

In another recent case, the Indiana Court of Appeals upheld a $1.44 million dollar jury verdict against Walgreen and a pharmacist who shared protected health information about a customer that had previously dated her husband. In Walgreen Co. v. Hinchy, the pharmacist, Audra Withers, looked up the prescription history of Abigail Hinchy, who had previously dated her significant other, Davion Peterson. Peterson then contacted Hinchy, who had given birth to a son, and indicated he had a printout showing that Hinchy had not filled her birth control prescription around the time she became pregnant. Hinchy ultimately filed suit against Walgreen and the pharmacist for negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. Hinchy sought liability against Walgreen for the claims against the pharmacist on a theory of respondeat superior.

The Court held that the trial court properly permitted the jury to consider Walgreen’s liability based on a theory of respondeat superior, explaining that the pharmacist’s actions “were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen. The court noted

Specifically, Withers was authorized to use the Walgreen computer system and printer, handle prescriptions for Walgreen customers, look up customer information on the Walgreen computer system, review patient prescription histories, and make prescription-related printouts. Withers was at work, on the job, and using Walgreen equipment when the actions at issue occurred. Hinchy belonged to the general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist. The fact that some of Withers’s actions were authorized, or incidental to authorized actions, or of the same general nature as authorized actions, precludes summary judgment.

The Court of Appeals also did not disturb the jury’s award of damages on appeal, which found Walgreen and the pharmacist responsible for $1.44 million, or 80 percent of the damages. The jury found Peterson responsible for 20 percent of Hinchy’s damages. The Indy Star reported that this is the first published appellate court decision in the U.S. where a healthcare provider is being held liable for the HIPAA privacy violation of its employee.

Speak Your Mind