Physician Practice Liable for Violating its Duty of Confidentiality to a Patient

After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena. The subpoena was issued in connection with a paternity suit brought by the plaintiff’s former boyfriend, a man whom the plaintiff had specifically requested her physician practice not share her medical information with.

As background, the first Supreme Court ruling in the case held that if Connecticut recognized a common law tort for breach of a physician’s duty of confidentiality, HIPAA did not preempt such a claim and could even be used to inform the applicable standard of care. The second Supreme Court ruling, as a case of first impression in Connecticut, held that a cause of action exists in Connecticut when a physician breaches his or her duty of confidentiality established by virtue of the physician-patient relationship.

At trial, bad facts for the physician practice included the fact that it produced records in response to a subpoena that did not contain the requisite satisfactory assurances from the issuing party that it met HIPAA’s notification requirements with respect to the patient or sought a qualified protective order from the court. Furthermore, because the plaintiff’s physician practice released the records without the patient’s authorization and not in compliance with a HIPAA-compliant subpoena, it violated its notice of privacy practices, which stated it would only release medical records with a patient authorization or as otherwise required by law. This opened the physician practice up to a claim of breach of contract. In addition, the records disclosed to the probate court in response to the non-compliant subpoena entered the public record of the probate court until the plaintiff filed a motion for them to be sealed. Those facts coupled with the plaintiff’s testimony regarding the harassment and extortion attempts she suffered as a result of the disclosure contributed to the damages awarded in this case. 

We now know that a patient can successfully recover damages for a physician’s negligent breach of her or his duty of confidentiality to the patient, including violating HIPAA’s requirements for treatment and response to a subpoena. There are still open questions remaining, however, and we will have to see whether less severe or more passive violations of HIPAA, such as cyberattacks or other criminal actions resulting in breaches will constitute grounds for recovery under this tort, or whether a well-developed HIPAA compliance program will mitigate potential damages. And given the breaches we see happening to physician practices despite their HIPAA compliance, one also wonders whether this newly recognized tort could develop to require more of physicians than mere HIPAA compliance to meet their duty of confidentiality to a patient in Connecticut.  

Without speculating too much about its judicial progeny, Byrne nevertheless highlights several areas of HIPAA compliance that should be areas of heightened review for physicians and medical providers now. First, providers should review their notice of privacy practices to remind themselves of the promises they are making to their patients, especially if they grant patients rights beyond what is guaranteed by HIPAA or promise to act in a more restrictive manner than HIPAA requires. Second, physicians and medical providers should refresh themselves, and particularly their medical records custodians and staff, on the appropriate way to respond to a subpoena under HIPAA. After Byrne, a physician’s failure to notify the patient of a subpoena, to seek a qualified protective order for the information sought by the subpoena, or to receive satisfactory assurances from the party seeking the information in the subpoena, will likely be seen as a violation of the physician’s duty of confidentiality if the patient does not otherwise authorize the disclosure. Third, physicians and medical providers should have a clear and consistent process for determining whether they have granted a restriction on disclosures, and should verify that no such restriction exists prior to making a disclosure. Fourth and last, physicians and medical providers should renew their commitment to a robust HIPAA compliance program, including annual trainings and periodic workforce reminders, to ensure that they are meeting their standard of care at common law with respect to patient privacy.