[BreachExchange] CT Supreme Court Rules Patients Can Sue Over PHI Disclosure

Destry Winant destry at riskbasedsecurity.com
Wed Jan 17 18:54:20 EST 2018


There is a duty of confidentiality between a physician and patient,
and patients have the right to sue should unauthorized PHI disclosure
take place, according to the Connecticut Supreme Court.

In Byrne v. Avery Center for Obstetrics & Gynecology, P.C., the Court
reversed the trial court’s judgement, which stated that the healthcare
provider in question “owed the plaintiff no common-law duty of

The plaintiff, Emily Byrne, learned she was pregnant and requested
that her provider not release any of her medical information to the
father of the child. Byrne was no longer in a relationship with the
father. Avery Center then released Byrne’s information when given a

“From our review of the record in the present case, it appears that
the defendant did not even comply with the face of the subpoena, which
required the custodian of records for the defendant to appear in
person before the attorney who issued the subpoena,” the Supreme Court
decision read. “Instead, the defendant mailed a copy of the
plaintiff’s medical records directly to the court.”

The Court noted that HIPAA regulations require certain measures be
taken with regard to subpoenas.

“Covered entities may disclose protected health information in a
judicial or administrative proceeding if the request for the
information is through an order from a court or administrative
tribunal,” the Privacy Rule states. “Such information may also be
disclosed in response to a subpoena or other lawful process if certain
assurances regarding notice to the individual or a protective order
are provided.”

However, PHI disclosure can only take place when the patient has
received adequate notice of the request or that a qualified protective
order has been pursued.

“The defendant’s own admissions establish that it did not comply with
this regulation when it responded to the subpoena in the present
case,” the Court wrote.

The plaintiff had also claimed “negligence and negligent infliction of
emotional distress.” There is a duty of confidentiality in Connecticut
common-law, she maintained. Public policy considerations further
support this recognition.

“Recognizing a cause of action for the breach of the duty of
confidentiality in the physician-patient relationship by the
disclosure of medical information is not barred by § 52-146o or HIPAA
and that public policy, as viewed in a majority of other jurisdictions
that have addressed the issue, supports that recognition,” the Court

The physician-patient confidentiality is a privilege, the decision
added. When that confidentiality is diminished in any way, it can
potentially affect how the physician is able to delivery proper care.

“‘The purpose of the privilege is to give the patient an incentive to
make full disclosure to a physician in order to obtain effective
treatment free from the embarrassment and invasion of privacy which
could result from a doctor’s testimony,’” the Court explained, citing
a previous case.

The Appellate Court has also “recognized the fiduciary nature of the
physician-patient relationship, which is based on trust and confidence
that develops as medical service is provided.”

Furthermore, other court cases have recognized the importance of
physician-patient confidentiality.

“‘Notwithstanding the concern that application of the
patient-physician privilege may bar the admissibility of probative
testimony, there is a clear recognition that, in general, a physician
does have a professional obligation to maintain the confidentiality of
his patient’s communications,’” the Court wrote, quoting Stempler v.
Speidell. “‘This obligation to preserve confidentiality is recognized
as part of the Hippocratic Oath.’”

Byrne v. Avery Center for Obstetrics & Gynecology, P.C. was first
brought to the state Supreme Court in 2014. That ruling also stated
that patients can sue a provider for HIPAA negligence if it violates
regulations dictating how healthcare organizations must maintain
patient confidentiality.

“Before this ruling, individuals could not file a lawsuit claiming
violation of their privacy under the (Health Insurance Portability and
Accountability Act of 1996) regulations,” Trumbull lawyer Bruce
Elstein previously told the Connecticut Post. “It was for that reason
that we filed a negligence claim, claiming the medical office was
negligent when it released confidential medical records contrary to
the requirements set forth in the regulations.”

Patient privacy concerns with legal or illegal searches was also an
issue in a case presented to the California Supreme Court in 2017.

In that case, Dr. Alwin Carl Lewis claimed that patient privacy was
violated after a government agency obtained an individual’s
prescription records without a warrant. Lewis had recommended a diet
plan for a prospective patient. The patient thought the proposal was
“unhealthful” and filed a complaint to the Medical Board. The Board
obtained Controlled Substance Utilization Review and Evaluation System
(CURES) reports on Lewis.

“With all the data that is being gathered about people – and this is
health data, the most private data most deserving of protection – this
data cannot be accessed willy-nilly,” Los Angeles attorney Henry
Fenton said during the Supreme Court hearing, according to Courthouse
News Service. “There has to be proper cause for them to do it.

More information about the BreachExchange mailing list