While HIPAA does not contain a rule or regulation providing an individual a remedy for a breach nor are violations of HIPAA a specific cause of action, HIPAA is increasingly being accepted as the standard of care with respect to handling confidential patient information. In a recent Supreme Court decision, Connecticut joined the list of other states recognizing a private cause of action against health care providers for HIPAA violations.
In the case, a healthcare provider received a subpoena requesting production of all the medical records of one of its patient involved in a paternity suit. In response to the subpoena the healthcare provider mailed a copy of the medical records to the court. As a result, the other party of the paternity suit obtained access to the medical records and began harassing the patient. The patient sued on multiple negligence counts and breach of contract.
In its opinion, the Connecticut Supreme Court concluded that “a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.” To determine whether disclosure was allowed by law, the Supreme Court pointed to the requirements under HIPAA for responding to a subpoena because:
“to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”
While most healthcare providers think of HIPAA as only an enforcement tool utilized by the Federal Government, this case further demonstrates the increasing use of HIPAA as the standard of care when it comes to common-law causes of action. Regardless of whether HIPAA is applicable to a particular healthcare provider, all healthcare providers need to be cognizant of its rules and regulations, as they may be held to such standards and rules. HIPAA isn’t the only standard that could come into play as typically there are other standards such as state law, licensing board rules, and ethical rules. Healthcare providers would be wise to reevaluate their policies and procedures and ensure they are in line with the applicable rules and standards to ensure the proper handling of confidential patient information within their organization.
For questions or information on HIPAA compliance, schedule a consult by emailing firstname.lastname@example.org.