Physician practices and other health care providers respond to numerous requests for confidential patient information from patients and others. Mistakes made by employees fulfilling such requests for medical records or making similar disclosures can expose the practice to civil litigation. A recent decision by the Connecticut Supreme Court (Byrne v. Avery Center for Obstetrics and Gynecology) confirmed a patient’s common law right to sue in these situations putting health care providers in Connecticut at greater risk of being sued if they are not careful in the handling of patient confidential information

The Connecticut Supreme Court’s decision, released on January 16, 2018, held in short that the physician-patient relationship creates a common law duty of confidentiality, and that patients have a common law right to sue for breaches of that duty. So, while it is true that the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) do not provide patients a private right of action, health care providers in Connecticut and a significant number of other states can be sued for unauthorized disclosures of confidential patient information.

In 2014, we reported on an earlier appeal in this same case, referencing the challenges healthcare providers have with responding to attorney requests for information and subpoenas. The underlying facts are that the patient (plaintiff) advised the provider (defendant) not to disclose her protected health information to her significant other. However, when the provider received a subpoena in connection with a paternity suit that was sent on behalf of the significant other seeking the patient’s medical file, the provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff’s medical file to the court.” In the 2014 decision, the Court refused to rule on whether Connecticut’s common law recognizes a negligence cause of action arising from these facts. In its more recent decision, however, the Court ruled that such a cause of action is recognized under Connecticut law, observing from a decision in another state:

it is impossible to conceive of any countervailing benefits which would arise by according a physician the right to gossip about a patient’s health.

The Court also ruled that as it has become common practice for Connecticut health care providers to comply with HIPAA and its implementing regulations, the statute and those regulations may be used to “inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

As noted, this case should be a strong reminder to providers to be more careful when responding to requests for protected health information under HIPAA, at a minimum. Often documents seeking protected health information look official and threatening, but they may be nothing more than an attorney’s request for PHI, which without more generally will not justify disclosure under HIPAA. The fact that a private right of action does not exist under HIPAA is not the end of the inquiry. Providers have to consider the layers of other laws that potentially could provide a patient a remedy for a questionable disclosure of the patient’s medical records.