It has been a commonly held belief that a patient cannot sue under HIPAA for a breach of confidential health information as HIPAA provides no private cause of action. The patient’s only recourse has been to report the violation to the relevant federal agency responsible for enforcing the law, in this case the Department of Health and Human Services.
Recently, however, the Connecticut Supreme Court overturned a lower court’s decision that HIPAA precludes plaintiffs’ individual liability claims relating to violations of health information confidentiality. In Byrne v. Avery Center for Obstetrics and Gynecology, in which the clinic released PHI in response to a subpoena, the higher court ruled that “If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”
The Connecticut court’s ruling follows similar rulings in Tennessee and Delaware in recent years. The Connecticut ruling went on to say “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
Healthcare providers are, of course, paying close attention to these court rulings. But these rulings are sending shock waves through other industries as well whose privacy and data security is similarly governed by federal laws that do not provide a private cause of action. These laws include FERPA and COPPA -- which protect the privacy of students and children, GLBA – the Gramm-Leach-Bliley Act – which governs financial institutions, and the wide-reaching FTC Act – the Federal Trade Commission Act.
See Clinical Psychiatry News article at “Court: Patients can sue over HIPAA breaches”