Running a hospital, ambulatory center or medical practice is no easy task. Managing staff, implementing workflows and protocols, and ensuring that practice assets like computer, phone, and file systems are working properly all take time away from the core mission of a medical practice, treating patients. A recent Connecticut Supreme Court case highlights just how important it is to ensure that all of a medical practice’s processes, policies, and decision making comply with all privacy obligations, including state laws.
In Byrne v. Avery Center for Obstetrics and Gynecology, the Avery Center was instructed by Byrne, the patient, not to release medical records to a certain individual, Andro Mendoza. Thereafter, Mendoza filed a lawsuit against Byrne and issued a subpoena to the Avery Center for the medical records of Byrne. The Avery Center, without alerting Byrne or taking any steps to challenge the subpoena, sent Byrne’s records to the court in response to the subpoena, thereby giving Mendoza access.
The Court made two important findings that will impact medical practices in Connecticut and, perhaps, elsewhere. First, the judge held that the preemptive effect that HIPAA has on state laws, and its lack of a private right of action, do not apply to state law or common law claims arising from the practice’s breach of patient confidentiality. As such, medical practices may face a plethora of state and common law claims by individuals alleging wrongful conduct based on state statutes or common law that provide protections for privacy of medical information. Second, and perhaps of greater significance, the Court held that “to the extent it has become the common practice for . . . health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care . . . .” In this way, HIPAA may serve as a metric for various state law claims and trigger a state law cause of action for the practical equivalent of failing to meet HIPAA standards.
The Byrne case is not novel in its holding. In fact, the decision cites to numerous other cases with similar holdings. However, the case is yet another reminder of the many ways inadvertence to HIPAA privacy standards can pose significant risk to a medical practice. Indeed, as this and other similar cases demonstrate, there are many avenues for a patient who has been allegedly wronged to tie up a practice in expensive litigation for many years. If you have questions about HIPAA compliance or compliance with state privacy laws and regulations, please contact Kenneth N. Rashbaum.