An ongoing legal case illustrates the risk healthcare providers face when they do not properly safeguard patient data and make it available to third parties without consent, even when complying with a subpoena.

A recent legal ruling allows patients in Connecticut to sue any healthcare entity for damages related to a HIPAA violation, and the same theory would hold in many other states.

The Connecticut Supreme Court recently ruled that patients in the state can sue doctors and other healthcare providers for the disclosure of their confidential medical records without the patient’s consent. The ruling involved a client represented by Bruce Elstein, JD, an attorney with the law firm of Goldman Gruder & Woods, who explains that Byrne v. Avery Center for Obstetrics & Gynecology has been in litigation for 12 years.

Elstein’s client, Emily Byrne, received prenatal care at the OB/GYN practice in Westport, CT. In 2004, she specifically told the practice not to release her records to her former partner, Andro Mendoza. The following year, she moved to Vermont.

“She had broken off that relationship with the father of the child and informed the office to provide to him no information,” Elstein says.

Mendoza filed paternity actions against Byrne in Connecticut in May 2005 and sent the OB/GYN practice a subpoena requesting all of Byrne’s medical records. The practice mailed the records to the New Haven Regional Children’s Probate Court, which made them available to the public as part of the legal record.

“The subpoena demanded the office produce the entirety of her file. HIPAA regulations have specific regulations for what to do when there is a civil subpoena, which first requires notifying the patient and also obtaining satisfactory assurance from the party issuing the subpoena that the patient has been notified,” Elstein explains. “Then, they are to show up in court with the documents and provide the minimum amount necessary for the issue at hand.”

The OB/GYN practice did not call a lawyer, a consultant, or even consult its own HIPAA manual before responding to the subpoena, Elstein says. Instead, someone at the practice called the lawyer issuing the subpoena and asked how to comply with the request, he says.

“The lawyer said, ‘why don’t you stick them in an envelope and mail them to the court?’ So, that’s what they did,” Elstein says. “The entirety of the patient’s record was copied, cover to cover, and mailed to the court. The clerk received the envelope and stuck it in the file.”

Byrne’s lawsuit claims that after seeing the records, Mendoza began to harass Byrne and tried to extort money from her. Byrne was successful in her request to the court to seal her medical records in September 2005.

“He read her records cover to cover and then went on a campaign to inflict some serious emotional distress upon her, using the information to embarrass her, extort her, and to extort others, namely her employer, the chief of police, and the town in which he lived,” Elstein says.

Byrne sued the OB/GYN practice for negligence, claiming it violated HIPAA by releasing her medical records. The superior court rejected the claim, saying such private suits involving HIPAA were prevented by federal law.

The state supreme court upheld the lower court’s ruling, and further wrangling continued at the trial level. But recently, the Connecticut Supreme Court reversed its earlier position and ruled that a physician-patient relationship creates a “duty of confidentiality” and that a covered entity’s “unauthorized disclosure of confidential (medical) information … gives rise to a cause of action sounding in tort against the healthcare provider, unless the disclosure is otherwise allowed by law.”

Justice Dennis G. Eveleigh, JD, wrote the court’s opinion, which was based on reviews of relevant laws from South Carolina, Massachusetts, Missouri, and other states. The opinion noted that liability for breaches of confidentiality is consistent with sound medical practice under both state and federal law.

Elstein says the case illustrates the need for more than just superficial efforts to comply with HIPAA. When the law first became effective, physician practices typically sent an office manager or another representative to a seminar hosted by a consulting company. Typically, they were left with a manual for how to comply with HIPAA, he says. That likely is not enough of a HIPAA compliance program for any covered entity; however, at a minimum, Elstein says, read that manual.

“The lesson of this case is that HIPAA means what it says. You can’t make up your own private method of answering a subpoena and complying with HIPAA,” he says. “HIPAA spells out the right way to respond. It requires making sure the patient has been notified, and it requires going to court, not putting everything in an envelope and sending it off, unless there have been specific authorizations. Even when all parties agree to how the records will be provided, HIPAA still requires that you produce the minimum necessary to address the issue at hand.”

In this case, the paternity of the child was the only issue pertinent to the paternity case for which the subpoena was issued, Elstein explains. The patient’s complete OB/GYN history was not relevant and should not have been provided.

“The medical office is still arguing that this is what they do whenever there is a subpoena, and it was proper,” Elstein says. “Our supreme court has said it is not the proper way to respond, but they continue bringing in experts to say there are lots of ways to respond to a subpoena and mailing it all in to the court is one way you do it. I think medical providers who consult with lawyers and experts in HIPAA would completely disagree.”

Elstein notes this legal reasoning is not unique to Connecticut. Other state supreme courts have issued similar rulings. While it is true that there is a pre-emption of private causes of action under HIPAA, meaning a plaintiff cannot sue in federal court for a HIPAA violation, there is a strong trend among states that HIPAA can establish the standard of care for a state cause of action alleging negligence, Elstein explains.

“The Connecticut Supreme Court ultimately decided that there is a private remedy for violating that standard of care, and you are exposed to damages for the harm you caused by breaching medical confidentiality. That is the majority trend across the United States, although it is not absolute,” Elstein says. “If a surgeon severs the spinal cord, he or she can expect to pay for damages if it was negligent. The same is now true for the medical information we provide our doctors, hospitals — all medical providers.”