Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context.

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C.,1 should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information. Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action. While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year. But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies. Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing.

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach. In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical...