Nov 132014

Connecticut Ruling Finds HIPAA Does Not Preempt State Law Claims

Sidley Data Matters Contributors
,

On November 11, 2014, the Connecticut Supreme Court held in Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (“Avery Center”) (SC 18904) that the federal Health Insurance Portability and Accountability Act (“HIPAA”) does not preempt state common law negligence and emotional distress claims against medical providers who improperly breach the confidentiality of a patient’s medical records and that “HIPAA may inform the applicable standard of care in certain circumstances.” In reaching its decision, the high court reversed the trial court’s dismissal of plaintiff Emily Byrne’s state common law causes of action for negligence and negligent infliction of emotion distress against Avery Center for releasing information about her pregnancy without her authorization in complying with a subpoena in a paternity action. Although other states have reached similar holdings, the Connecticut ruling is notable in light of the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which expanded HIPAA liability to business associates. As such, covered entities as well as their business associates risk increased exposure under HIPAA and state laws, including negligence, invasion of privacy and state privacy claims.

In providing healthcare services to the plaintiff, Avery Center provided a notice of privacy policy agreeing to not release the plaintiff’s information without her authorization. The plaintiff also specifically instructed the defendant to not release her medical records to the estranged father of her child. After the father filed paternity actions against the plaintiff, the defendant was served with a subpoena requesting its presence in court with the plaintiff’s medical records. Without notifying the plaintiff of the subpoena, filing a motion to quash, or appearing in court, the defendant mailed a copy of the plaintiff’s medical records to the court. As a result, the plaintiff allegedly suffered harassment and extortion threats from the estranged father after viewing her medical records.

The plaintiff brought four actions against the defendant: (1) breach of contract; (2) negligence in failing to use proper and reasonable care to protect her medical records; (3) negligent misrepresentation that her medical records would be protected according to the law; and (4) negligent infliction of emotional distress. The trial court denied Avery Center’s motion for summary judgment with respect to counts one and three and dismissed counts two and four for lack of subject matter jurisdiction holding that HIPAA does not create a private right of action and preempted the negligence-based state common law claims.

On appeal, the high court asserted that preemption applies only when a “state law” provision, which includes common law as defined at 45 C.F.R. § 160.202, is “contrary” to HIPAA, where “contrary” means that it is (1) impossible for a covered entity to comply with both the state and federal requirements; or (2) that the state law is “an obstacle” to federal purposes. Additionally, state laws that are “more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter” are exempt from preemption. In reviewing the regulatory history of HIPAA and its implementing regulations, the high court also concluded that HIPAA did not intend to preempt state tort actions resulting from unauthorized disclosure of protected health information. Accordingly, the court concluded that “private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate healthcare providers’ compliance with HIPAA”, which “may inform the relevant standard of care in such actions”. Although HIPAA does not provide a private right of action, the Avery Center case and cases like it recognize that HIPAA can be used by plaintiff attorneys to establish the standard of care in connection with negligence and other tort claims.

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work or

William A. Sarraille  
Partner
+1.202.736.8195
wsarraille@sidley.com

Anna L. Spencer
Partner
+1.202.736.8445
aspencer@sidley.com

Eva F. Yin
Associate
+1.415.772.7468
eyin@sidley.com

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.