Connecticut Supreme Court allows patients to sue providers for HIPAA violations

Legal Review
A Connecticut Supreme Court ruling creates a new legal precedent, allowing patients to sue providers over HIPAA violations. (Image: iStock-BrianAJackson)

Add Connecticut to the list of states that allow patients to sue providers for unauthorized disclosure of their medical records.

The Connecticut Supreme Court ruled last week that patients have the right to bring legal action against a provider. Other courts throughout the state have ruled that although HIPAA allows the federal government to issue penalties for violating patient confidentiality, the federal law does not provide a private right of action for patients to collect damages.

The high court's ruling establishes a new legal precedent for the state, falling in line with other jurisdictions that allow patients to sue providers for damages tied to confidentiality violations.

The court issued the ruling on case involving a woman, Emily Byrne, who sued Avery Center for Obstetrics and Gynecology in Westport, Connecticut, for negligence and breach of contract after the provider released Byrne’s medical records in response to a subpoena issued as part of a separate paternity suit. Although the subpoena required the “custodian of records” to appear before an attorney, Avery mailed a copy of Byrne’s medical records to the New Haven Regional Children’s Probate Court.

It’s not the first time the case has come before the state Supreme Court. In 2014, the court ruled that HIPAA could be used as a standard of care for common law claims. Upon remand, the trial court deferred again to the Connecticut Supreme Court regarding Byrne’s negligence claims, noting that no courts had addressed the issue.

Reviewing the case for the second time, the state Supreme Court disagreed with the provider’s argument that under HIPAA, disclosing medical records in response to a subpoena does not require patient consent. In the written decision (PDF) Justice Dennis G. Eveleigh highlighted sections of federal law that say covered entities responding to a subpoena or court order must have “satisfactory assurance” that the patient has been given notice about the request.

"From our review of the record in the present case, it appears that the defendant did not even comply with the face of the subpoena," Eveleigh wrote.

RELATED: Ciox Health sues HHS to stop ‘irrational’ HIPAA enforcement

He also pointed to several other states—including New York, Massachusetts and Missouri—that have issued similar rulings regarding a patient’s right to sue over confidentiality breaches.

“We agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship,” he wrote.

“Finally we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages,” Bryne’s attorney Bruce L. Elstein told the Hartford Courant.