OB/GYN Practice Liable to Patient for Breach of ConfidentialityJanuary 7, 2019 | Eric D. Fader | HIPAA | Legislation and Public Policy | Litigation
A Connecticut state court ruled in December that an obstetrics and gynecology practice must pay a former patient close to $2 million, the latest round in an 11-year saga in which the case was appealed to the state Supreme Court twice. The defendant medical practice was found to have breached the confidentiality of the plaintiff’s medical records by releasing information about her pregnancy without her authorization.
The plaintiff in the long-running case, Emily Byrne, had instructed Avery Center for Obstetrics and Gynecology, P.C., not to release the records of her prenatal care to her former boyfriend, the father of the baby. However, when the Westport practice received a subpoena from the father in a paternity action, it sent a copy of Byrne’s records to the court without giving her prior notice or requesting the court’s guidance regarding its obligations under HIPAA.
Byrne’s claims were brought under Connecticut common law. The lower court originally ruled in November 2014 that her negligence claims were preempted by HIPAA, under which there is no private right of action, and dismissed them. However, the state Supreme Court reversed the trial court’s decision, finding that a HIPAA violation may be actionable under state law to the extent that it constitutes a violation of generally accepted standards of care.
In January 2018, on appeal for the second time, the Supreme Court reversed the trial court’s grant of summary judgment for the defendant on two counts, negligence and infliction of emotional distress. The lower court had found that the Avery Center owed Byrne no common-law duty of confidentiality. In recognizing a cause of action for breach of the duty of confidentiality in the physician-patient relationship by improperly disclosing medical information, the Supreme Court cited case law in other states including Massachusetts, New York and New Jersey, as well as public policy.
After the most recent decision, the plaintiff’s lawyer, Bruce Elstein, said, “I don’t believe [the medical practice] knew what to do under HIPAA. They were inadequately trained and they did not even consult a manual prepared for them by a consultant on what to do when presented with a subpoena.” HIPAA requires that a healthcare provider train and periodically retrain its workforce.
The current judgment was for $853,000 which, with interest from 2007, will total approximately $2 million, but the defendant is expected to appeal the verdict to the Connecticut Appellate Court.