You’ve Been Served: What’s Next?

You’ve Been Served: What’s Next?

Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.

In a blog post published on March 12, 2015, I reported on a decision of the Connecticut Supreme Court in Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433, 102 A.3d 32 (2014). Here is the background of Byrne, as described in that post:

The plaintiff, Emily Byrne, was a party to a Connecticut paternity action arising out of a personal relationship with Andro Mendoza. She had instructed the Avery Center NOT to release her medical records to him. The Avery Center did not notify Byrne when it was subpoenaed in the paternity action for the production of her medical records. Instead, it mailed a copy of Byrne’s records to the court in which the action was pending. Mendoza saw the records and he allegedly harassed and threatened Avery thereafter.

Byrne filed a civil action against the Avery Center because of its compliance with the subpoena and disclosure of the records. She alleged that, among other things, the Avery Center was negligent in failing to use ‘proper and reasonable care in protecting her medical file.’ Her allegation was rooted on the common law of negligence and negligent infliction of emotional distress rather than on HIPAA itself because HIPAA could not be enforced by her directly. The trial court granted summary judgment in favor of the Avery Center, reasoning that Byrne’s negligence and negligent infliction claims were preempted by HIPAA.

In reversing the court below, the Supreme Court held that federal law, specifically HIPAA and its implementing regulations, did not preempt Connecticut common law and that the patient-plaintiff could proceed against the Avery Center. The Supreme Court remanded (in other words, returned the case to the trial court) for further proceedings.

On remand, the trial court again granted summary judgment in favor of the Avery Center, concluding that “the defendant, as a health care provider, owed the plaintiff no common-law duty of confidentiality.” The trial court did so because there was no case law in Connecticut that recognized such a duty when a healthcare provider responded to a subpoena and that the imposition of such a duty would be best left to an appellate court or legislation. Plaintiff promptly appealed, the Supreme Court accepted the appeal, and again reversed the trial court. Byrne v. Avery Center for Obstetrics & Gynecology, P.C., SC 19873 (Conn. Jan. 16, 2018).

On appeal, Supreme Court characterized the issue as: “[W]hether a patient has a civil remedy against a physician who, without the patient’s consent, discloses confidential information obtained in the course of the patient-physician relationship.” To answer that question, the Supreme Court first turned to Connecticut statutes and noted that those did not provide a cause of action or other remedy for improper disclosure of confidential information. The Supreme Court then turned to federal law and case law from other states to resolve the issue before it. Having done so, the Supreme Court concluded that the following:

[A] duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship for the purpose of treatment gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.

The Supreme Court rejected the argument of the Avery Center that it was entitled to summary judgment in any event because Connecticut law did not require a patient’s consent to disclose medical records in response to a subpoena. The Supreme Court observed that the Avery Center “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court.” Moreover, the Avery Center did not comply with the terms of the subpoena, which required a personal appearance by a records custodian but, instead, simply mailed the medical records. On these facts, the Supreme Court concluded that summary judgment should not have been granted and remanded.

In my 2015 post I raised the question of the standard of care against which the Avery Center’s conduct would be measured. The Supreme Court appears to have answered that question in repeating this language from its earlier decision:

[T]o the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.

The Supreme Court reviewed regulations promulgated under HIPAA that imposed “specific steps prior to making any disclosure of protected health information pursuant to a subpoena” and observed that the Avery Center’s “own admissions establish that it did not comply with this regulation when it responded to the subpoena in the present case.” Presumably, a jury will be asked at trial what the “common practice” was at the relevant time and will be instructed by the trial judge on what the standard of care was at that time.

What does all this mean for health information professionals? Above all else, there should be information governance policies and procedures in place that address receipt, processing, and response to subpoenas whether or not these subpoenas call for disclosure of confidential information. There should not be ad hoc responses to subpoenas. Second, personnel should be educated on the applicable information governance policies and procedures so subpoenas are responded to in a manner consistent with patient confidentiality and legal requirements. Third, the implementation of policies and procedures should be monitored and, as appropriate, modified to comply with all requirements.


**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to, among other things, electronic information. He is a Senior Counsel with Dentons US LLP.
Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *