Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C.
Decision Date | 11 November 2014 |
Docket Number | No. 18904.,18904. |
Citation | 102 A.3d 32,314 Conn. 433 |
Court | Connecticut Supreme Court |
Parties | Emily BYRNE v. AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C. |
Bruce L. Elstein, Bridgeport, with whom, on the brief, was Henry Elstein, Bridgeport, for the appellant (plaintiff).
James F. Biondo, with whom, on the brief, was Audrey D. Medd, Stamford, for the appellee (defendant).
ROGERS, C.J., and NORCOTT, PALMER, ZARELLA, EVELEIGH, McDONALD and VERTEFEUILLE, Js.*
Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq., as a comprehensive legislative and regulatory scheme to, inter alia, protect the privacy of patients' health information given emerging advances in information technology. In this appeal, we determine whether HIPAA, which lacks a private right of action and preempts “contrary” state laws; 42 U.S.C. § 1320d–7 (2006) ;1 preempts state law claims for negligence and negligent infliction of emotional distress against a health care provider who is alleged to have improperly breached the confidentiality of a patient's medical records in the course of complying with a subpoena. The plaintiff, Emily Byrne,2 appeals from the judgment of the trial court dismissing counts two and four of the operative amended complaint (complaint) filed against the defendant, the Avery Center for Obstetrics and Gynecology, P.C.3 On appeal, the plaintiff contends that the trial court improperly concluded that her state law claims for negligence and negligent infliction of emotional distress were preempted by HIPAA. We conclude that, to the extent that Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA does not preempt the plaintiff's state common-law causes of action for negligence or negligent infliction of emotional distress against the health care providers in this case and, further, that regulations of the Department of Health and Human Services (department) implementing HIPAA may inform the applicable standard of care in certain circumstances. Accordingly, we reverse the judgment of the trial court.
The trial court's memorandum of decision sets forth the following undisputed facts and procedural history.
5 (Footnotes altered.)
The plaintiff subsequently brought this action against the defendant. Specifically, the operative complaint in the present case alleges that the defendant: (1) breached its contract with her when it violated its privacy policy by disclosing her protected health information without authorization; (2) acted negligently by failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of General Statutes § 52–146o6 and the department's regulations implementing HIPAA;7 (3) made a negligent misrepresentation, upon which the plaintiff relied to her detriment, that her “medical file and the privacy of her health information would be protected in accordance with the law”; and (4) engaged in conduct constituting negligent infliction of emotional distress. After discovery, the parties filed cross motions for summary judgment.
With respect to the plaintiff's negligence based claims in counts two and four of the complaint, the trial court agreed with the defendant's contention that “HIPAA preempts ‘any action dealing with confidentiality/privacy of medical information,’ ” which prompted the court to treat the summary judgment motion as one seeking dismissal for lack of subject matter jurisdiction. In its memorandum of decision, the trial court first considered the plaintiff's negligence claims founded on the violations of the regulations implementing HIPAA. The court first observed the “well settled” proposition that HIPAA does not create a private right of action, requiring claims of violations instead to be raised through the department's administrative channels. The trial court then relied on Fisher v. Yale University, Superior Court, judicial district of New Haven, Complex Litigation Docket, Docket No. X10–CV–04–4003207–S (April 3, 2006), and Meade v. Orthopedic Associates of Windham County, Superior Court, judicial district of Windham, Docket No. CV–06–4005043–S (December 27, 2007),8 and rejected the plaintiff's claim that she had not utilized HIPAA as the basis of her cause of action, but rather, relied on it as “ ‘evidence of the appropriate standard of care’ for claims brought under state law, namely, negligence.”9 Emphasizing that the courts cannot supply a private right of action that the legislature intentionally had omitted, the trial court noted that the The trial court further determined that the plaintiff's statutory negligence claims founded on a violation of § 52–146o were similarly preempted because the state statute had been superseded by HIPAA, and thus the plaintiff's state statutory claim “amount[ed] to a claim for a HIPAA violation, a claim for which there is no private right of action.”10
The trial court concluded similarly with respect to the plaintiff's common-law negligence claims, observing that, under the regulatory definitions implementing HIPAA's preemption provision; see 42 U.S.C. § 1320d–7 (a) ; 45 C.F.R. § 160.202 (2004) ;11 to For the same reasons, the trial court dismissed count four of the complaint, claiming negligent infliction of emotional distress.
With respect to the remainder of the pending motions, the trial court first denied, on the basis of its previous preemption determinations, the plaintiff's motion for summary judgment, which had claimed that the defendant's conduct in responding to the subpoena violated the HIPAA regulations, specifically 45 C.F.R. § 164.512(e),12 as a matter of law. The trial court denied, however, the defendant's motion for summary judgment with respect to the remaining counts of the complaint, namely, count one alleging breach of contract and count three alleging negligent misrepresentation, determining that genuine issues of material fact existed with respect to contract formation through the defendant's privacy policy, and whether the plaintiff had received and relied upon that policy. Thus, the trial court denied the defendant's motion for summary judgment as to counts one and three of the complaint, and dismissed counts two and four of the complaint for lack of subject matter jurisdiction. This appeal followed. See footnote 3 of this opinion.
On appeal, the plaintiff claims that the trial court improperly determined that HIPAA preempted her negligence based state law claims. Conceding that there is no private right of action under HIPAA, the plaintiff asserts that she is not asserting a claim for relief premised solely on a violation of HIPAA, but rather, relies heavily on Merrell Dow Pharmaceuticals, Inc. v. Thompson, 478 U.S. 804, 106 S.Ct. 3229, 92 L.Ed.2d 650 (1986), Acosta v. Byrum, 180 N.C.App. 562, 638 S.E.2d 246 (2006), and R.K. v. St. Mary's Medical Center, Inc., 229 W.Va. 712, 735 S.E.2d 715 (2012), cert. denied, ––– U.S. ––––, 133 S.Ct. 1738, 185 L.Ed.2d 788 (2013), in support of the proposition that common-law negligence actions, with HIPAA informing the standard of care, may complement rather than “obstruct” HIPAA for preemption purposes. Citing, inter alia, Mead v. Burns, 199 Conn. 651, 662–63, 509 A.2d 11 (1986), and Wendland v. Ridgefield Construction Services, Inc., 184 Conn. 173, 181, 439 A.2d 954 (1981), the plaintiff emphasizes that the use of other state law causes of action to enforce statutes otherwise lacking private rights of action has been upheld by this court in the analogous contexts of the Connecticut Unfair Insurance Practices Act, General Statutes § 38a–815 et seq., and the federal Occupational Safety and Health Act (OSHA), 29 U.S.C. § 651 et seq., and its state counterpart, General Statutes § 31–367 et seq. The plaintiff further argues that, under HIPAA and its implementing regulation; see 42...
To continue reading
Request your trial-
Pasco Common Condo. Ass'n, Inc. v. Benson
...that we are required to interpret the plaintiffs' pleadings, our review also is plenary. See Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , 314 Conn. 433, 462, 102 A.3d 32 (2014)."Public policy generally supports the limitation of a cause of action in order to grant some degree o......
-
Soto v. Bushmaster Firearms Int'l, LLC, SC 19832
...facts, procedural history, and plenary standard of review as stated by the majority. See, e.g., Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 314 Conn. 433, 447, 102 A.3d 32 (2014) ("[w]hether state causes of action are preempted by federal statutes and regulations is a question ......
-
Soto v. Bushmaster Firearms Int'l, LLC, SC 19832, (SC 19833)
...facts, procedural history, and plenary standard of review as stated by the majority. See, e.g., Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , 314 Conn. 433, 447, 102 A.3d 32 (2014) ("[w]hether state causes of action are preempted by federal statutes and regulations is a question......
- State v. Jones
-
Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context
...especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action. Endnotes: 1 314 Conn. 433 (Conn. 2014). 2 See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., No. CV07 600 16 33 S, slip op. at 18-27(Conn. Super. Ct. April......
-
Health Providers Beware: HIPAA Breaches May Give Rise To Negligence Actions
...and privacy violations against providers under state law. HIPAA Standard of Care In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient's protected health information (PHI) in response to a subpoena without notifying the patient and ......
-
Connecticut Supreme Court Case Creates Another Reason To Be Cautious About Medical Records Subpoenas
...there are questions about the application of the CT Supreme Court case, you should consult with a HIPAA attorney. 1 Byrne v. Avery Ctr., 314 Conn. 433 2 A subpoena issued by an attorney or "officer of the court" is not the same as a subpoena issued by a judicial officer (usually a judge or ......
-
HACKING HIPAA: "BEST PRACTICES" FOR AVOIDING OVERSIGHT IN THE SALE OF YOUR IDENTIFIABLE MEDICAL INFORMATION.
...164.502(d)(2)(ii). (289) Id. at [section] 160.308(b). (290) See, e.g., Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 314 Conn. 433, 458-59 (2014), affd Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 327 Conn. 540 (2018) ("... HIPAA and its implementing regulations......
-
DATA OF THE DEAD: A PROPOSAL FOR PROTECTING POSTHUMOUS DATA PRIVACY.
...[https://perma.cc/76SP-UNZM]. (77.) See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 49 (Conn. (78.) See, e.g., Mayfield v. Presbyterian Hosp. Admin., 772 F. App'x 680, 686 (10th Cir. 2019) (holding that HIPAA does not create a private right of action); Bradley v.......