The Byrne Decision: Potential Liability for HIPPA Violations in Connecticut

December 15, 2014

Based on a recent groundbreaking decision by the Connecticut Supreme Court, healthcare providers in Connecticut should hesitate before producing their patients’ medical records in response to a subpoena. In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (Nov. 11, 2014), the Supreme Court provided patients with an avenue to assert state-law negligence claims based on violations of HIPAA regulations.

In Byrne, the defendant gynecology center was served with a subpoena to produce the plaintiff’s medical records to the clerk of a court where a paternity suit was pending. The defendant complied with the subpoena without securing the patient’s authorization to produce the records, without alerting the patient, and without challenging the subpoena in court. The records were then reviewed by a party in the paternity suit who allegedly used the information to harass and extort the plaintiff. The plaintiff sued the gynecology center, claiming that it breached its duty of confidentiality and violated her privacy rights when it released her medical records without her consent. The trial court dismissed the plaintiff’s negligence claims, holding that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which does not provide for a private remedy, preempted her state law claims. The Supreme Court in Byrne reversed the trial court’s dismissal, holding that, to the extent that Connecticut common law provides a remedy for patients when health care providers breach their duty of confidentiality, HIPAA does not preempt a patient’s common law claims. The court also went further, concluding that HIPAA and its implementing regulations “may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records.”

Based on the Byrne ruling, healthcare providers will now be exposed to negligence claims arising out of alleged breaches of confidentiality regarding protected health information. As a result, providers must be vigilant about releasing protected health information only when they have been provided a valid patient authorization, regardless of whether they have been served with a valid subpoena. In light of the Supreme Court’s decision in Byrne, we recommend that healthcare providers develop a written policy which establishes clear prerequisites for release of a patient’s records. This policy should be explicit in requiring a valid patient authorization for the release of protected health information under all circumstances – no exceptions. The policy should also include a provision for patient notification when documents are produced in response to a subpoena.

The takeaway from Byrne is that protected health information should not be released by a provider under any circumstances without a valid patient authorization. There are legal mechanisms to challenge a subpoena where the patient has not expressly authorized release of her records. For example, counsel may move to quash the subpoena or seek a protective order under those circumstances.