Breach of HIPAA Privacy Regulations May be a Basis for Negligence Actions

By Shelby Root and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by the Florida Bar in Health Law

00011_RT8Given the advances in information technology, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress as a comprehensive legislative and regulatory scheme to ensure basic protections of patients’ right of privacy regarding their health information. HIPAA, standing alone, does not provide a private right of action. It also preempts contrary state laws. A recent case in the Supreme Court of Connecticut, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014), addressed these issues. The decision answered the question of whether HIPAA preempts state law claims for negligence and negligent infliction of emotional distress against a healthcare provider who released medical records in the course of complying with a subpoena.

The Facts of Byrne v. Avery Center for Obstetrics and Gynecology, P.C.

During May 2004, Byrne started a personal relationship with Andro Mendoza, which lasted four months. At some point during May 2004 and July 12, 2005, the Avery Center provided Byrne with gynecological and obstetrical care and treatment. During the visit she was given the center’s privacy policy regarding protected health information. The policy, and the law, state that a patient’s health information will not be disclosed without their authorization. After Byrne’s relationship with Mendoza ended she instructed the center not to release her medial records to him.

On May 31, 2005, Mendoza filed paternity actions against Byrne. The Avery Center was served with a subpoena requesting its presence, along with Byrne’s medical records, at Probate Court. The center did not alert Byrne of the subpoena, file a motion to quash or appear in court. Instead, it mailed a copy of Byrne’s medical file to the court.

The Supreme Court of Connecticut’s Holding.

The Supreme Court of Connecticut reasoned that the fact a state law that allows an individual to file a civil action to protect their privacy exist does not mean that the law conflicts with the HIPAA penalty provisions. Therefore, the court concluded that HIPAA does not preempt causes of action when they are based on a state common or statutory law due to a healthcare provider’s breach of confidentiality.

The court found that a number of federal and state courts have ruled that a breach of the HIPAA Privacy Rule may be the basis for a breach of a duty of care in state court negligence actions. A patient’s private right of action does not conflict with or complicate healthcare provider’s compliance with HIPAA. In fact, negligence claims in state courts are furthering HIPAA’s goal of deterring wrongful disclosure of patient’s healthcare information. To view a past blog on a HIPAA violation case in California, click here.

Editors’ Comments on Byrne.

This is the latest of several recent cases where state courts have allowed cases to proceed against health care providers who breached the medical confidentiality of their patients, based in part on the HIPAA Privacy Regulations. In this case, the court correctly held that, although HIPAA does not afford a private right of action by itself, it does establish the duty that is owed by a healthcare provider to its patients to protect their medical information. With this duty being established, the plaintiff can then proceed under a straight negligence tort cause of action.

It is also noteworthy that the HIPAA Privacy Regulations are just one source of “evidence” or standards that can be used to establish th duty owed by medical professionals and theories.

This case also helps to put to rest the spurious defense that HIPAA might “preempt” such a cause of action that is brought under state law. We have seen this theory used by defendants just about any time a federal statute or federal regulation might come into play in a tort law suit. The court correctly determined that this defense theory was not valid.

If anything, HIPAA has better defined and strengthened a duty that has been owed to patients by physicians, nurses, health professionals and health facilities since the time of Hippocrates.

Comments?

What are your thoughts on the Supreme Court of Connecticut’s ruling? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and instiuttions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Source:

Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 102 A.3d 32 (Conn. 2014). From:

http://scholar.google.com/scholar_case?case=6869878125055474806&q=Byrne+v.+Avery+Center+for+Obstetrics+and+Gynecology,+P.C.,+102+A.3d+32+(Conn.+2014)&hl=en&as_sdt=40006

About the Authors: Shelby Root is a summer associate at The Health Law Firm. She is a student at Barry University College of Law in Orlando. George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

KeyWords: Health Insurance Portability and Accountability Act, HIPAA, HIPAA Privacy Rules, HIPAA compliance, protected health information, patient privacy, patient rights, HIPAA violation, penalties for HIPAA violation, civil penalties for HIPAA violation, privacy, defense attorney, defense lawyer, HIPAA defense attorney, HIPAA violation help, HIPAA attorney, HIPAA lawyer, compliance plans, health law, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.

By |2024-03-14T10:01:00-04:00June 1, 2018|Categories: In the News, The Health Law Firm Blog|Tags: , , , , , , , , , , , , , , , , , , |1 Comment
Read More

Jury Awards Walgreens Customer $1.44 Million Over HIPAA Violation

LOL Blog Label 2By Lance O. Leider, J.D., The Health Law Firm and  George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

An Indiana jury awarded a Walgreens customer $1.44 million on July 26, 2013, over a Health Insurance Portability and Accountability Act (HIPAA) violation, according to the Indianapolis Star. The Walgreens pharmacist was found to have violated the customer’s privacy by looking up and sharing the customer’s prescription history with others. The lawsuit alleged that there was a relationship between the pharmacist, her husband and the husband’s ex-girlfriend (who was the customer). The customer/ex-girlfriend was the plaintiff in the lawsuit.

Click here to read the entire article from the Indianapolis Star.

Details of the Lawsuit.

According to the American Bar Association, the lawsuit alleged the pharmacist was married to the customer’s ex-boyfriend at the time the pharmacist viewed her prescription records. The pharmacist admitted to showing the confidential information to her husband, who shares a child with the customer/plaintiff. In doing this, the pharmacist breeched her statutory and common law duties of confidentiality and privacy.

Click here to read the entire article from the American Bar Association.

Walgreens Found Negligent.

The jury found Walgreens negligent in training and supervising the pharmacist. The pharmacist admitted she was aware of the pharmacy’s privacy policy and knew she was violating it. Walgreens claims the pharmacist has been appropriately disciplined.

Deadline to Comply with Omnibus Rule Close-Are You Ready?

The Department of Health and Humans Services (HHS) released stronger rules and protections governing patient privacy on January 17, 2013. This omnibus rule strengthens the privacy and security protection established under HIPAA. Physicians, hospitals, clinics, health care providers and their business associates need to take into account the corrections as they work to update business associate agreements, policies, practices and training to comply with the rule changes by the September 23, 2013, deadline. To learn more on the omnibus rule changes, click here to read a previous blog.

Be Proactive-Get a HIPAA Risk Assessment.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions.  It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have most likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every six months.

To learn more on HIPAA risk assessments, click here.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts on this HIPAA violation? Do you think Walgreens failed to train and supervise the pharmacist? Please leave any thoughtful comments below.

Sources:

Neil, Martha. “Walgreens Must Pay Customer $1.44M After Pharmacy Shared Her Prescription Records.” American Bar Association. (July 29, 2013). From: http://www.abajournal.com/news/article/jury_says_walgreens_must_pay_1.44m_because_pharmacist_gave_her_husband/

Evans, Tim. “Walgreens Must Pay Woman $1.44 Million Over HIPAA Violation.” Indianapolis Star. (July 26, 2013). From: http://www.indystar.com/article/20130726/NEWS/307260079/

About the Authors: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone:  (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999. Copyright © 1996-2012 The Health Law Firm. All rights reserved.

By |2024-03-14T10:01:14-04:00May 15, 2018|Categories: Legal Defense for Pharmacists, Pharmacist, Pharmacy, Pharmacy Law|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , |5 Comments
Read More
“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A.
The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 2022 The Health Law Firm. All rights reserved.
FacebookInstagramLinkedInTwitterYouTube
Toggle Sliding Bar Area
Go to Top