With the news of the recent cyber-attack and resulting data breach at health insurance giant Anthem Inc., the buzz around data security and privacy is again high. The Anthem breach serves as a reminder to those entities subject to the Health Insurance Portability and Accountability Act (HIPAA) that failing to keep protected health information secure and private can lead to serious consequences.
Like many federal statutes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a provision governing how the statute is designed to interact with similar or otherwise related state laws. When this type of provision is used to override or supplant similar state laws, the provision is called “preemptive.” On November 11, 2014, the Connecticut Supreme Court held in Byrne v. Avery Center For Obstetrics and Gynecology, P.C. that state law negligence claims are not preempted by HIPAA even where the plaintiff relies on HIPAA to establish the applicable standard of care. In so holding, the Court