The Connecticut case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology involves a patient who sued a healthcare clinic that released her medical records to her baby’s father after being specifically asked not to release them to him. Granted there was a subpoena from the father’s attorney but the clinic gave no notice at all to the patient before responding with the records even though she has specifically requested her records not be released. Had they simply let her know about the situation before responding to the subpoena this likely wouldn’t be happening. But, what is done is done.
The Connecticut State Supreme Court released a ruling Nov 11 that says Byrne has the right to sue the clinic for negligence for violating the HIPAA Privacy Rule. Well, that is sort of what they said. It is well known there is no “private right of action” under HIPAA meaning the law does not provide a basis for private suits but for enforcement by regulators. This case didn’t argue that point. In fact, they conceded it. What they argued is that the HIPAA Privacy Rule should be used as the “standard of care” to be applied to the suit in state court. So, the case isn’t directly using the HIPAA law as a reason to sue but it is saying that HIPAA should be the definition of what is acceptable protections.
“We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
Will this ruling make a difference in other states? No one knows for sure. But, it certainly doesn’t mean that it won’t be used to make that case in other suits. HIPAA should be common practice according to this decision. If the court says it has become common practice in your office, what are your HIPAA audit and assessment plans for 2015? Is it included in your budget already? That is what you do if the activity is common practice, right? Are you still going to wait and until someone you know has to deal with it?
Filed under: HIPAA Tagged: Enforcement, HIPAA, Privacy Rule