Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention when responding to subpoenas but now they must also worry about broader breach of confidentiality claims by patients.

In Byrne, the state Supreme Court concluded that the unauthorized disclosure of confidential information obtained in the course of the physician-patient relationship for treatment purposes gives rise to an action for breach of duty of confidentiality.

The patient in Byrne instructed that her OB/GYN not release any of her information to her ex-boyfriend. The ex-boyfriend later filed paternity actions in two states and issued a subpoena to the provider for the patient’s medical records. The subpoena instructed the provider to send a custodian of records to the regional probate court with the records. Instead of appearing in person with the records, filing a motion to quash or notifying the patient of the request and seeking her permission, the provider simply mailed the records to the court. The court clerk inserted the records in the public court file, which allowed the ex-boyfriend full access to the patient’s records. According to the patient, after her ex-boyfriend viewed her records, he began to harass and threaten her.

In reaching its conclusion that the patient could sue a physician for breach of confidentiality, the Court relied on a number of factors including a state statute that grants privilege to physician/patient communications without providing any penalty for violations (Conn. Gen. Stat. § 52-146o) and the decisions by numerous other states to recognize such a cause of action. Although the Court did not outline elements for this new cause of action or provide other guidance as to the conduct that the plaintiff must prove to be successful in her cause of action, it pointed to an earlier decision in which it explained that HIPAA “may be utilized to inform the standard of care” if a breach of duty of confidentiality cause of action existed.

Notably, while the decision addressed only the physician/patient relationship, state courts likely will apply the reasoning in Byrne to other health care providers because Connecticut statutes recognize a number of other classes of providers as having a confidential relationship with patients. Such providers include psychiatrists, psychologists, social workers, licensed marriage family therapists, and domestic violence /sexual assault counselors among others. See Conn. Gen. Stat. §§ 52-146c et seq.

What Does This Mean For Health Care Providers?

This decision means that HIPAA and state privacy law compliance is more important than ever before. Specifically, a breach of protected health information (“PHI”) under HIPAA can now subject providers to private lawsuits for a breach of a duty of confidentiality. It may also mean that providers that fail to follow internal policies or procedures regarding privacy could be sued for a breach of duty of confidentiality.

In addressing this new legal risk, understanding how to handle subpoenas should be a top priority. The following must be clear to everyone handling subpoenas: a subpoena alone does not permit the disclosure of PHI. The patient’s written authorization or a specific court order must accompany a subpoena. While HIPAA permits the disclosure of PHI in response to subpoenas under other limited circumstances, it is not required and in light of the Byrne decision, it is not advisable.

In addition, providers need to assess compliance with privacy laws generally, including HIPAA, and step-up compliance efforts across their organizations. This includes compliance with state and federal laws that provide more protection than HIPAA, such as laws that apply to mental health, HIV/AIDS and substance abuse records. It is likely that compliance with these laws will be the measuring stick for determining whether a provider breached a duty of confidentiality in a lawsuit brought by a patient.

Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.