Healthcare providers continue to have challenges with responding to attorney requests for information and subpoenas. We highlighted some of these last year, along with some issues providers should be considering to help meet those challenges. In this case, after the patient advised the provider not to disclose her PHI to her significant other, the provider received a subpoena in connection with a paternity suit that was sent on behalf of the significant other seeking the patient’s medical file. According to the Supreme Court’s decision, the provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff’s medical file to the court.” Without deciding whether Connecticut’s common law recognizes a negligence cause of action arising from this situation, the Court agreed with the patient, concluding such an action is not preempted by HIPAA and, further, that the HIPAA regulations may be used to establish the providers standard of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., No. 18904.
As part of its reasoning supporting the decision, the Court pointed to language in the preamble to the final HIPAA privacy regulations discussing preemption. Specifically, the Court noted that commentators had raised the issue of whether “a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000). The Department of Health and Human Services responded:
the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions
(While the Department’s view is not binding, the Court noted that “[w]here an agency has authoritatively interpreted its own rule, courts generally defer to that reading unless it is plainly erroneous or inconsistent with the regulation.”) The Court went on to list a number of decisions holding that HIPAA does not preempt causes of action that exist as a matter of state common or statutory law and arise from health care providers’ breaches of patient confidentiality in a variety of contexts. The Court also mentioned some of these cases permitted HIPAA to inform the relevant standard of care in such actions.
This case should be a strong reminder to covered entities, and their business associates, to be more careful when responding to requests for protected health information under HIPAA. Often documents seeking protected health information look official and threatening, but they may be nothing more than an attorney’s request for PHI, which without more generally will not justify disclosure. The fact that a private right of action does not exist under the HIPAA privacy or security regulations is not the end of the inquiry. Providers and business associates have to consider the layers of other laws that potentially could provide a patient a remedy for a questionable disclosure of the patient’s medical records, such as state health laws and regulations, common law torts, and other measures.