In a landmark ruling, the Vermont Supreme Court recently held that a patient had standing to sue both the hospital at which she was a patient and the employee who attended to her, for negligent disclosure of her personal health information to a third-party. Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Vermont law provide for a private cause of action for damages arising from a medical provider’s disclosure of information obtained during treatment.

In this case, the plaintiff claims that the emergency room nurse who cared for her lacerated arm, later informed a police officer that she was intoxicated, had driven to the hospital, and intended to drive home. Ultimately, the Court concluded that “no reasonable factfinder could determine the disclosure was for any purpose other than to mitigate the threat of imminent and serious harm to the plaintiff and the public”.

While this conclusion is not surprising, what is a bit surprising is the Court’s allowance for this private cause of action to proceed in the first place, given that neither HIPAA nor Vermont law allow for such. The Court reasoned that in recognizing this private cause of action on the basis of common law, other courts have correctly relied on the theory of a breach of duty of confidentiality, insofar as “health care providers enjoy a special fiduciary relationship with their patients” such that “recognition of the privilege is necessary to ensure that the bond remains.”

The Court highlighted further that as evidence of sound public policy underlying the recognition of liability for breach of the duty of confidentiality, courts have cited “(1) state physician licensing statutes, (2) evidentiary rules and privileged communication statutes which prohibit a physician from testifying in judicial proceedings; (3) common law principles of trust, and (4) the Hippocratic Oath and principles of medical ethics which proscribe the revelation of patient confidences.”

The Vermont court joins many other jurisdictions across the United States honoring a private right of action in the context of a breach of the duty of confidentiality, on the basis of public policy. This decision further signifies the heightened focus being placed on an individual’s right to privacy and security of their data. Employers across all industries, but particularly healthcare, are advised to revisit their approach to maintaining sensitive personal information confidentially and securely, as legislation and common law continues to strengthen in this area.

 

Tags: breach of confidentiality, disclosure, HIPAA, patient confidentiality, personal health information, physician-patient privilege, Vermont, Vermont Supreme Court
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
Sooner State Soon to Join Consumer Privacy Patchwork
March 30, 2026
Top 10 Privacy, AI & Cybersecurity Issues for 2026
January 28, 2026
Florida’s Digital Wiretapping Surge: What Businesses Need to Know About FSCA Litigation
January 27, 2026