2018 marks the year that Connecticut citizens are now allowed to file HIPAA lawsuits against providers for unwarranted release of their protected health information (PHI).
This ruling was issued for a case between the Avery Center for Obstetrics and Gynecology in Westport, Connecticut, and one of their patients, Emily Byrne. Byrne sued Avery Center for negligence and breach of contract after the Center sent Byrne’s medical records to the New Haven Regional Children’s Probate Court after a man looked to claim custody of her child in a paternity suit.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) serves to protect the privacy and security of sensitive health data, or PHI. HIPAA does not permit private lawsuits by patients to collect damages for these unauthorized releases of PHI–which is why this ruling in Connecticut is such a landmark precedent, following similar verdicts in New York, Massachusetts, and Missouri.
Avery Center was subpoenaed to appear in court and display Byrne’s medical records before an attorney. Rather than follow necessary procedure, Avery Center mailed Byrne’s records to the probate court, which made her records publicly available to the man who initiated the paternity suit. The case records show that Avery Center did not challenge the subpoena, nor did it attempt to disclose the minimum necessary PHI to accomplish its purpose.
Byrne and her attorney proceeded to sue the Avery Center over the unauthorized release of her medical records and history. Byrne argued that HIPAA regulation creates a standard for the security of patient’s PHI, and that the standard was broken with the release of her information by Avery Center.
Byrne’s case was brought to Connecticut’s Supreme Court after a series of legal battles. The Court disagreed with Avery Center’s claim that a subpoena for medical records does not require patient consent.
Justice Dennis G. Eveleigh, in his written decision, highlighted key points in federal law that show that covered entities (CE), such as Avery Center, that are acting upon subpoenas or court orders must have “satisfactory assurance” that the patient was noticed about the request for the release of their medical records. Eveleigh continued to write that after reviewing the case, Byrne was never given a release notice and that Avery Center neglected to send any form of communication to her regarding the subpoena and her records.
The Supreme Court ruled the case in Byrne’s favor and granted her suit for damages valid–a new precedent allowing all Connecticut citizens to sue providers for damages in the aftermath of unauthorized releases of PHI.
Byrne’s attorney Bruce L. Elstein said, “Finally we have a remedy in Connecticut that recognizes that there is a duty of confidentiality, the breach of which can lead to compensation for damages.”
HIPAA Lawsuits, Risks on the Rise
In light of HIPAA lawsuits and HIPAA penalties like these, the threat that a HIPAA violation can pose to your practice has never been greater. External threats from federal enforcement are now paired with HIPAA lawsuits being levied by patients against providers. And that says nothing of state Attorney General HIPAA penalties being levied, as well as jail time.
The days of flying under the radar for HIPAA violations are quickly coming to a close. And the best way to defend against HIPAA lawsuits and penalties is with a HIPAA compliance program built to address the specific needs of your business. By creating an effective HIPAA compliance program, you’re demonstrating to the federal government that you’re performing your “good faith effort” toward maintaining the privacy, security, confidentiality, and integrity of your patients’ sensitive health information.