The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.

Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action.  The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court.  Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records.  Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.

The court held, in part, that the Health Insurance Portability and Accountability Act (HIPAA) does not bar a cause of action for the breach of the duty of confidentiality in the physician-patient relationship under state law.  Although HIPAA itself precludes a private right of action, it does not interfere with the imposition of other types of penalties that may be available under state law.  As a result, the court examined whether it should create a private cause of action based on a duty of confidentiality.

Although the central issue to the case is novel for Connecticut – namely, whether a patient has a civil remedy against a physician if the physician discloses confidential information without the patient’s consent – the court emphasized that it has long recognized that the principle of confidentiality lies at the heart of the physician-patient relationship.  The court also examined how jurisdictions throughout the country addressed this issue and found that a majority of other states do recognize a common law cause of action for breach of the confidentiality of medical records by health care providers. Only four jurisdictions –District of Columbia, Georgia, Missouri and Tennessee–do not recognize this cause of action.

The most common basis for recognizing this cause of action is that the health care providers enjoy a special fiduciary relationship with their patients and that recognition of the privilege is necessary to ensure that this bond remains.  In the absence of an explicit statutory prohibition, other courts have found the basis for this right of action in four sources:

  • State physician licensing statutes.
  • Evidentiary rules and privileged communication statutes which prohibit a physician from testifying in judicial proceedings.
  • Common law principles of trust.
  • Hippocratic Oath and principles of medical ethics.

As a reminder, HIPAA permits the disclosure of protected health information (PHI) pursuant to a subpoena not accompanied by a court order if the covered entity receives satisfactory assurances from the party seeking the PHI that there were reasonable efforts to:

  1. Notify the individual who is the subject of the PHI; or
  2. Secure a qualified protective order from the court.

Avery admitted that it did not comply with these HIPAA requirements in its response to the subpoena.

As a result of recognizing the new duty of care, the court remanded the case for further proceedings in accordance with its opinion.

If you have any questions about this case, other states’ common law causes of action for breaches of confidentiality of medical records, or HIPAA more generally, please contact any member of Drinker Biddle’s Health Care Team.