Vermont Supreme Court Rules on Wrongful Information Disclosure Case

Tuesday, September 10, 2019

Legal consequences flow from the use or abuse of EHR. This monthly column presents examples of what those consequences can be.

Another State supreme court has weighed in on whether an individual may sue for damages based on a healthcare provider’s “unjustified disclosure to third persons of information obtained during treatment.” In Lawson v. Halpern-Reiss, 2019 VT 38 (2019), the Vermont Supreme Court affirmed a judgment in favor of the defendant hospital, although the Court recognized a private right of action for unjustified disclosure.

The plaintiff had driven herself to the hospital after lacerating her arm. The charge nurse (who had been named as a defendant but was later dismissed by the parties), “detected a heavy odor of alcohol on plaintiff’s breath,” and concluded that the plaintiff had been drinking. This led to an alco-sensor test being administered that revealed a blood alcohol concentration of .215, well over the legal limit. The plaintiff was discharged after treatment for the laceration. The charge nurse approached a police officer stationed at the hospital, advised the officer that the plaintiff was “blatantly intoxicated,” that the plaintiff had driven herself to the hospital, and that she was about to drive herself home. This led to the plaintiff’s arrest, although the charge was later dismissed by the prosecutor.

The plaintiff then sued the charge nurse and the hospital, alleging that the plaintiff sustained damages because of, among other things, “the nurse’s negligent disclosure of information obtained during plaintiff’s medical treatment.” A trial court granted summary judgement in favor of the defendants, relying on a HIPAA regulation that permitted the disclosure of information “based on the presumed good-faith belief that the disclosure was necessary to prevent a serious and imminent threat to the health or safety of a person or the public” and finding no fact dispute that the charge nurse’s disclosure was based on such a good-faith concern (as opposed to being of assistance to law enforcement).

The Vermont Supreme Court affirmed. First, it recognized that “neither Vermont law nor HIPAA provides a private right of action to obtain damages incurred as the result of a medical provider’s disclosure of information obtained during treatment.” However, relying in part on a decision of the Connecticut Supreme Court (Byrne v. Avery Center for Obstetrics and Gynecology), the Vermont Supreme Court held that HIPAA does not prohibit a state from recognizing a cause of action under its common law for breach of a duty of confidentiality owed by healthcare providers to their patients. The court then joined “the consensus of jurisdictions recognizing a common-law private right of action for damages arising from a medical provider’s unauthorized disclosure of information obtained during treatment.” In doing so, the court held that HIPAA and its implementing regulations should “inform the standard of care and establish the framework for exceptions to medical care providers’ duty of confidentiality.”

The Vermont Supreme Court then reviewed the record from the trial court, noting that the “point of contention” between the parties was whether the record demonstrated that the charge nurse had a “good faith belief that all the information provided to the officer was necessary to prevent a serious and imminent threat to the health or safety of plaintiff or the general public.” It concluded that the record “unequivocally” showed that the charge nurse had no other motive in doing so and, accordingly, affirmed the trial court.

What does this mean for healthcare providers? In a sense, nothing new when compared with Byrne v. Avery Center for Obstetrics and Gynecology, which I discussed in a post from March 12, 2015. Healthcare providers should be aware that, depending on their jurisdictions, the wrongful disclosure of information obtained during medical treatment might give rise to a claim for damages resulting from that disclosure. Moreover, healthcare providers should have procedures in place—based at least on exceptions to nondisclosure set forth in HIPAA and the regulations implementing it—to respond when circumstances arise that make disclosure appropriate.

[author] [author_image timthumb='on']/Portals/0/uploads/content_hub/Rons-Headshot.png[/author_image] [author_info]Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is currently a writer, lecturer, and consultant on topics related to electronic information.[/author_info] [/author]

**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.

Tags: privacy and security , litigation