Responding To Subpoena For Medical Records May Create Liability For Healthcare Providers Under State Law Negligence Claims

Byrne is likely to spawn similar lawsuits in Connecticut and other jurisdictions because it provides a pathway to asserting state law negligence claims based on violations of HIPAA regulations.

Healthcare providers receiving a subpoena for patient medical records may want to think twice before complying with the subpoena and producing the records. A recent Connecticut case, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. ("Byrne"), arose when the defendant gynecology center received a subpoena to produce the medical records of its patient, who was also a party in a separate action, and the center complied with the subpoena by producing the medical records. The center did not obtain its patient's authorization and had not received satisfactory assurances that the requesting party had attempted to notify the patient of the subpoena or had attempted to seek entry of a qualified protective order.

The patient contended that she experienced harassment and extortion as a result of the production of her medical records in the separate lawsuit and sued her gynecology center for releasing the records. Among the claims the patient asserted was that the center was negligent in failing to use reasonable care in protecting her medical file, including disclosing the records in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C § 1302d et seq.

The patient's reference to HIPAA was based on the HIPAA privacy regulation, 42 C.F.R. § 164.512(e), which permits disclosure of a patient's medical records for judicial or administrative proceedings without the patient's authorization in response to a subpoena if the provider "receives satisfactory assurance ... from the party seeking the information" that "reasonable efforts" have been made to "ensure" that the affected patient has been given notice or to secure a "qualified protective order." The patient asserted that the gynecology center's failure to insist on receiving such "satisfactory assurance" constituted negligence under Connecticut law.

Recognizing the well-settled rule that HIPAA does not create a private right of action, the trial court dismissed the plaintiff's negligence claims based on violation of HIPAA regulations on the ground that they were identical to a private claim for a violation of HIPAA and were therefore preempted by the federal law, which does not provide for a private remedy.

On November 11, 2014, the Connecticut Supreme Court...