Provided by:  Jennifer Kirschenbaum, Esq.

June 19, 2018


Before the HiTech Act the major exposure for failing to protect protected health information was a mostly innocuous inquiry from the Federal Office for Civil Rights if a patient complained.   Recently that office has a mandate looking to fine and make headlines - so the fact an inquiry by OCR is a byproduct of a "breach" of protected health information should serve as a major deterrent.  Regardless of the ever looming threat of government inquiry, the threat of a lawsuit from the patient has been limited for a HIPAA breach because  - HIPAA as a statute does not create a separate cause of action....until now... 

A Connecticut judge  presiding over Byrne v. AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C., 327 Conn. 540, January 2018, may have ruined the secret HIPAA cloak of protection from lawsuit by indicating the action itself of the disclosure may be a level of conduct below standard, and therefore subject to litigation.

"We conclude that a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship for the purpose of treatment gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law." 

The fact pattern at issue in case you are interested:  patient (F) medical record was disclosed in answer to a subpoena related to paternity testing and the ex-boyfriend saw pregnancy details in the record.  

So, what is the real life implication of a private cause of action for HIPAA?  From my standpoint that's pretty easy -  make a mistake you are required to report (under the Breach Notification Rule) and now have the threat of secondary litigation exposure.  

Now, with the potential of a potential government inquiry (OCR) over conduct or a patient litigation, it is critical to adopt proper HIPAA compliance.  Remember, especially with HIPAA, the standard you are held to is whether you are expending reasonable efforts to comply and build administrative, technical and physical sarguards for HIPAA compliance at your office.   For recommended HIPAA compliance forms you can browse what we recommend here -