Like many federal statutes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a provision governing how the statute is designed to interact with similar or otherwise related state laws.  When this type of provision is used to override or supplant similar state laws, the provision is called “preemptive.”  On November 11, 2014, the Connecticut Supreme Court held in Byrne v. Avery Center For Obstetrics and Gynecology, P.C. that state law negligence claims are not preempted by HIPAA even where the plaintiff relies on HIPAA to establish the applicable standard of care.  In so holding, the Court relied heavily on the preemption language in HIPAA and the regulatory intent contained in the preamble to HIPAA’s implementing regulations.  The decision should serve as a reminder to health care providers, health plans, health care clearinghouses, and their business associates that failing to comply with HIPAA could result not only in government enforcement but also claims of negligence brought by individuals.

The plaintiff in Byrne, Ms. Byrne, received gynecological and obstetrical care from defendant for a period of years.  As part of defendant’s normal practices, the defendant furnished Ms. Byrne with defendant’s notice of privacy practices, which, according to the decision (and unlike typical notices of privacy practices), stated that no health information would be disclosed without Ms. Bryne’s authorization. Sometime later, Ms. Byrne began a short relationship with a third party.  After the relationship soured, Ms. Byrne specifically instructed defendant not to provide her personal medical records to that party.  The third party eventually filed paternity actions against Ms. Byrne in both Connecticut and Vermont and served a subpoena on defendant to appear and to furnish in Connecticut probate court medical records belonging to Ms. Byrne.  In response to the subpoena and without taking any other action (including appearing in court), defendant mailed Ms. Byrne’s medical records to the probate court.  These records were then viewed by the third party and allegedly used against Ms. Byrne.  Ms. Byrne later filed a motion to seal her medical records, which was granted.

Ms. Byrne subsequently filed suit against defendant in Connecticut state court and alleged, among other things, that defendant “acted negligently by failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of” state statute and “engaged in conduct constituting negligent infliction of emotional distress.”  The defendant argued that HIPAA preempts negligence-based state law claims related to the confidentiality and privacy of health information and therefore the court should dismiss Ms. Byrne’s negligence claims.  After observing that there is no private right of action under HIPAA, the trial court ruled that Ms. Byrne’s negligence claims were essentially claims under HIPAA, even though they had been framed in terms of state law claims, and were thus preempted.  Ms. Byrne appealed to the Connecticut Supreme Court asserting that, while her claims rely on HIPAA for informing on the standard of care owed to her by defendants, her claims constitute common law negligence actions that “complement rather than ‘obstruct’ HIPAA for preemption purposes.”

In deciding the case, the Court first turned to the preemption language in HIPAA which provides that, subject to certain exceptions not relevant here, “a provision or requirement under this part, or a standard or implementation specification adopted or established under [relevant sections], shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.”  According to the Court, the use of the term “contrary” in the statute and also the regulations is significant here because it represents a narrow preemption standard, one that supplants or invalidates state law only if (1) compliance with both the applicable state and federal would be impossible, or (2) the state law “stands as an obstacle” to the purposes and objectives of HIPAA.  The Court also seemed to place significant weight on the discussion in the preamble to the final HIPAA regulations, stating that the ability to file a state law action to protect the privacy of health information does not conflict with HIPAA’s penalty provisions.

With this rather narrow preemption standard as the backdrop, the Court then focused on two principles to guide its decision; namely, that (1) “ordinarily, state causes of action are not [preempted] solely because they impose liability over and above that authorized by federal law,” and (2) “a complaint alleging a violation of a federal statute as an element of a cause of action, when Congress has determined that there should be no private, federal cause of action” does not transform the complaint into one arising from federal law.  In addition to these principles, the Court pointed to a number of state and federal court decisions holding that HIPAA does not preempt state law actions arising from health care providers’ breaches of patient confidentiality, some that even suggested HIPAA may provide the relevant duty of care.

Based on the statutory and regulatory preemption language under HIPAA and the principles and cases referred to above, the Court held that the trial court erred in dismissing the plaintiff’s negligence claims, and held that if Connecticut common law recognizes a claim based on a health care provider’s alleged breach of confidentiality when responding to a subpoena, HIPAA and its implementing regulations do not bar such claims.  The Court also held that if it has become standard practice in Connecticut for health care providers to follow the guidelines in HIPAA when rendering services to patients, those guidelines may serve to inform the standard of care for claims of negligence in disclosing patients’ medical records.  In conclusion, the Court stated that “the availability of such private rights of action in state courts, to the extent they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers’ compliance with HIPAA.”