Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C.

• Decision Date: 11 November 2014
• Docket Number: No. 18904.,18904.
• Citation: 102 A.3d 32,314 Conn. 433
• Court: Connecticut Supreme Court
• Parties: Emily BYRNE v. AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C.

314 Conn. 433

102 A.3d 32

Emily BYRNE

v.AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C.

No. 18904.

Supreme Court of Connecticut.

Argued March 12, 2013.

Decided Nov. 11, 2014.

Bruce L. Elstein, Bridgeport, with whom, on the brief, was Henry Elstein, Bridgeport, for the appellant (plaintiff).

James F. Biondo, with whom, on the brief, was Audrey D. Medd, Stamford, for the appellee (defendant).

ROGERS, C.J., and NORCOTT, PALMER, ZARELLA, EVELEIGH, McDONALD and VERTEFEUILLE, Js.^*

Opinion

NORCOTT, J.

Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq., as a comprehensive legislative and regulatory scheme to, inter alia, protect the privacy of patients' health information given emerging advances in information technology. In this appeal, we determine whether HIPAA, which lacks a private right of action and preempts “contrary” state laws; 42 U.S.C. § 1320d–7 (2006) ;¹ preempts state law claims for negligence and negligent infliction of emotional distress against a health care provider who is alleged to have improperly breached the confidentiality of a patient's medical records in the course of complying with a subpoena. The plaintiff, Emily Byrne,² appeals from the judgment of the trial court dismissing counts two and four of the operative amended complaint (complaint) filed against the defendant, the Avery Center for Obstetrics and Gynecology, P.C.³ On appeal, the plaintiff contends that the trial court improperly concluded that her state law claims for negligence and negligent infliction of emotional distress were preempted by HIPAA. We conclude that, to the extent that Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA does not preempt the plaintiff's state common-law causes of action for negligence or negligent infliction of emotional distress against the health care providers in this case and, further, that regulations of the Department of Health and Human Services (department) implementing HIPAA may inform the applicable standard of care in certain circumstances. Accordingly, we reverse the judgment of the trial court.

The trial court's memorandum of decision sets forth the following undisputed facts and procedural history.

“Before July 12, 2005, the defendant provided the plaintiff [with] gynecological and obstetrical care and treatment. The defendant provided its patients, including the plaintiff, with notice of its privacy policy regarding protected health information and agreed, based on this policy and on law, that it would not disclose the plaintiff's health information without her authorization.

“In May, 2004, the plaintiff began a personal relationship with Andro Mendoza, which lasted until September, 2004.⁴ ... In October, 2004, she instructed the defendant not to release her medical records to Mendoza. In March, 2005, she moved from Connecticut to Vermont where she presently lives. On May 31, 2005, Mendoza filed paternity actions against the plaintiff in Connecticut and Vermont. Thereafter, the defendant was served with a subpoena requesting its presence together with the plaintiff's medical records at the New Haven Regional Children's [Probate Court] on July 12, 2005. The defendant did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff's medical file to the court around July 12, 2005. In September, 2005, ‘[Mendoza] informed [the] plaintiff by telephone that he reviewed [the] plaintiff's medical file in the court file.’ On September 15, 2005, the plaintiff filed a motion to seal her medical file, which was granted. The plaintiff alleges that she suffered harassment and extortion threats from Mendoza since he viewed her medical records.”⁵ (Footnotes altered.)

The plaintiff subsequently brought this action against the defendant. Specifically, the operative complaint in the present case alleges that the defendant: (1) breached its contract with her when it violated its privacy policy by disclosing her protected health information without authorization; (2) acted negligently by failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of General Statutes § 52–146o⁶ and the department's regulations implementing HIPAA;⁷ (3) made a negligent misrepresentation, upon which the plaintiff relied to her detriment, that her “medical file and the privacy of her health information would be protected in accordance with the law”; and (4) engaged in conduct constituting negligent infliction of emotional distress. After discovery, the parties filed cross motions for summary judgment.

With respect to the plaintiff's negligence based claims in counts two and four of the complaint, the trial court agreed with the defendant's contention that “HIPAA preempts ‘any action dealing with confidentiality/privacy of medical information,’ ” which prompted the court to treat the summary judgment motion as one seeking dismissal for lack of subject matter jurisdiction. In its memorandum of decision, the trial court first considered the plaintiff's negligence claims founded on the violations of the regulations implementing HIPAA. The court first observed the “well settled” proposition that HIPAA does not create a private right of action, requiring claims of violations instead to be raised through the department's administrative channels. The trial court then relied on Fisher v. Yale University, Superior Court, judicial district of New Haven, Complex Litigation Docket, Docket No. X10–CV–04–4003207–S (April 3, 2006), and Meade v. Orthopedic Associates of Windham County, Superior Court, judicial district of Windham, Docket No. CV–06–4005043–S (December 27, 2007),⁸ and rejected the plaintiff's claim that she had not utilized HIPAA as the basis of her cause of action, but rather, relied on it as “ ‘evidence of the appropriate standard of care’ for claims brought under state law, namely, negligence.”⁹ Emphasizing that the courts cannot supply a private right of action that the legislature intentionally had omitted, the trial court noted that the “plaintiff has labeled her claims as negligence claims, but this does not change their essential nature. They are HIPAA claims.” The trial court further determined that the plaintiff's statutory negligence claims founded on a violation of § 52–146o were similarly preempted because the state statute had been superseded by HIPAA, and thus the plaintiff's state statutory claim “amount[ed] to a claim for a HIPAA violation, a claim for which there is no private right of action.”¹⁰

The trial court concluded similarly with respect to the plaintiff's common-law negligence claims, observing that, under the regulatory definitions implementing HIPAA's preemption provision; see 42 U.S.C. § 1320d–7 (a) ; 45 C.F.R. § 160.202 (2004) ;¹¹ to “the extent that common-law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule. Because it is not more stringent, according to the definition of 45 C.F.R. § 160.202, the preemption exception does not apply.” For the same reasons, the trial court dismissed count four of the complaint, claiming negligent infliction of emotional distress.

With respect to the remainder of the pending motions, the trial court first denied, on the basis of its previous preemption determinations, the plaintiff's motion for summary judgment, which had claimed that the defendant's conduct in responding to the subpoena violated the HIPAA regulations, specifically 45 C.F.R. § 164.512(e),¹² as a matter of law. The trial court denied, however, the defendant's motion for summary judgment with respect to the remaining counts of the complaint, namely, count one alleging breach of contract and count three alleging negligent misrepresentation, determining that genuine issues of material fact existed with respect to contract formation through the defendant's privacy policy, and whether the plaintiff had received and relied upon that policy. Thus, the trial court denied the defendant's motion for summary judgment as to counts one and three of the complaint, and dismissed counts two and four of the complaint for lack of subject matter jurisdiction. This appeal followed. See footnote 3 of this opinion.

On appeal, the plaintiff claims that the trial court improperly determined that HIPAA preempted her negligence based state law claims. Conceding that there is no private right of action under HIPAA, the plaintiff asserts that she is not asserting a claim for relief premised solely on a violation of HIPAA, but rather, relies heavily on Merrell Dow Pharmaceuticals, Inc. v. Thompson, 478 U.S. 804, 106 S.Ct. 3229, 92 L.Ed.2d 650 (1986), Acosta v. Byrum, 180 N.C.App. 562, 638 S.E.2d 246 (2006), and R.K. v. St. Mary's Medical Center, Inc., 229 W.Va. 712, 735 S.E.2d 715 (2012), cert. denied, ––– U.S. ––––, 133 S.Ct. 1738, 185 L.Ed.2d 788 (2013), in support of the proposition that common-law negligence actions, with HIPAA informing the standard of care, may complement rather than “obstruct” HIPAA for preemption purposes. Citing, inter alia, Mead v. Burns, 199 Conn. 651, 662–63, 509 A.2d 11 (1986), and Wendland v. Ridgefield Construction Services, Inc., 184 Conn. 173, 181, 439 A.2d 954 (1981), the plaintiff emphasizes that the use of other state law causes of action to enforce statutes otherwise lacking private rights of action has been upheld by this court in the analogous contexts of the Connecticut Unfair Insurance Practices Act, General Statutes § 38a–815 et seq., and the federal Occupational Safety and Health Act (OSHA), 29 U.S.C. § 651 et seq., and its state counterpart, General Statutes § 31–367 et seq. The plaintiff further argues that, under HIPAA and its implementing regulation; see 42...