The Connecticut Supreme Court issued an opinion yesterday recognizing a common law duty of confidentiality arising from the physician-patient relationship and establishing a new private cause of action for breach of this duty. Connecticut now joins a number of states which allow patients to recover from physicians who disclose confidential medical information without authorization. Byrne v. Avery Center for Obstetrics and Gynecology, P.C.
This case is significant because the federal Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of patient medical information, does not create a private right of action for patients whose medical information is disclosed without their consent, and Connecticut General Statutes §52-146o, which limits disclosure of patient information by physicians, surgeons and other licensed health care providers, does not explicitly provide a cause of action (or any other remedy) for improper disclosures of confidential communications. The court limited its holding to the physician-patient relationship, so it is unclear at this time the extent to which yesterday’s decision applies to other health care providers.
In Byrne, counsel for the putative father in a paternity suit subpoenaed the defendant, a medical practice, for the health records of one of its patients, Emily Byrne, with whom the putative father had had a relationship. The medical practice responded to the subpoena by mailing Byrne’s records to the probate court, where the records became publicly available and were accessed by the putative father. Byrne claimed that she suffered harassment and extortion threats from the putative father as a result of the disclosure and brought an action against the medical practice to recover damages for, among other things, negligent infliction of emotional distress and negligence in failing to use proper and reasonable care in protecting her records, including disclosing them without authorization in violation of CGS §52-146o and HIPAA. The defendant medical practice filed a motion for summary judgment arguing that Connecticut’s common law does not recognize a cause of action against health care providers for breach of the duty of confidentiality in the course of responding to a subpoena.
The trial court dismissed Byrne’s claims for negligence and negligent infliction of emotional distress, finding that these claims were essentially violations of HIPAA and were therefore preempted because HIPAA bars private suits. On Byrne’s first appeal, the Connecticut Supreme Court held that, to the extent Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA did not preempt her state law claims of negligence and negligent infliction of emotional distress and, further, that HIPAA may inform the applicable standard of care in certain circumstances. However, the court did not go so far as to state that Connecticut recognizes a cause of action arising from a health care provider’s breach of patient privacy. The case was remanded to the trial court, which found no common-law privilege for communications between a patient and physicians and therefore no private right of action.
On Byrne’s second appeal, the Connecticut Supreme Court discussed at some length the public policy behind recognizing confidentiality in the physician-patient relationship and reviewed case law from several other states, finding that a majority of jurisdictions that have considered the question have recognized a cause of action against a physician for the unauthorized disclosure of confidential medical information obtained in the context of the physician-patient relationship. The court reversed the decision of the trial court and recognized a duty of confidentiality arising from the physician-patient relationship and held that an unauthorized disclosure of confidential information obtained for the purpose of treatment gives rise to a cause of action, unless the disclosure is otherwise allowed by law.
Notably, the court rejected the medical practice’s argument that the subpoena fell within an exception to CGS §52-146o that permits disclosures without patient consent for “statutes, regulations or rules of court” since the subpoena was issued without court order. Further, by mailing Byrne’s medical records directly to the probate court, the practice did not comply with HIPAA’s rules governing responses to subpoenas without court order, since the practice failed to obtain assurances either that the patient had been notified of the subpoena or that a protective order had been sought. The court also found that the practice failed to comply with the terms of the subpoena itself, as the subpoena required the practice’s custodian of records to appear in person before the attorney who issued the subpoena.
Byrne marks a significant extension of prior law in Connecticut regarding patient privacy. In light of Byrne, physicians, group practices and other licensed providers should take additional precautions to ensure that patient medical records are treated in a confidential manner. For example, in addition to the mandatory training required by HIPAA, staff should be reminded of the rules governing patient confidentiality on a regular basis, and such training should include the process for responding to subpoenas and other requests for patient information. And if there is a question about whether a particular disclosure can be made without the patient’s authorization, the physician should first obtain the advice of counsel versed in this area of the law.