Connecticut´s Supreme Court has ruled that a compensation claim for a HIPAA privacy breach can go ahead after it was tossed by the state´s Appellate Court.
Following a brief relationship in 2004, Emily Byrne discovered she was pregnant. As the relationship had ended, Emily instructed the Avery Center for Obstetrics and Gynecology in Westport not to reveal her protected health information (PHI) to her former partner – Andro Mendoza.
Emily moved to Vermont in March 2005, after which Mendoza obtained a subpoena to access Emily´s medical records on the grounds that he was pursuing a paternity suit. The Avery Center released Emily´s PHI without her permission and in breach of its own privacy policy.
Mendoza then used Emily´s medical records to start “a campaign of harm, ridicule, embarrassment and extortion” against Emily and her family. Emily obtained a court order to seal her medical records, and made a compensation claim for a HIPAA privacy breach against the Avery Center.
The Avery Center denied that it had been negligent in releasing Emily´s PHI and argued that State law took precedence over Federal law in this instance. When the claim went to the Appellate Court, the court ruled that the health center was indeed in breach of HIPAA privacy legislation, but would be charged a lesser civil penalty – rather than a negligence claim – which would result in a significantly reduced fine and no compensation for Emily.
Emily appealed the Appellate Court´s ruling to the Connecticut Supreme Court and, after a hearing last July, the Supreme Court gave the verdict that Emily did have a claim for a privacy breach against the health center based on Connecticut´s Unfair Trade Practices Act (CUTPA) that overruled HIPAA legislation. Emily´s claim has now been returned to the Appellate Court for a hearing later this year.
This is the first time that the Connecticut Supreme Court has been asked to consider the unauthorized release of PHI by a HIPAA-covered entity. The state now joins North Carolina, Missouri, and West Virginia as ruling in favor of a plaintiff whose privacy has been breached. The Department of Health and Human Services – the body responsible for issuing fines for a HIPAA privacy breach commented “the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions.”