Health Providers Beware: HIPAA Breaches May Give Rise to Negligence Actions

April 2, 2015Articles Garden State Gavel Blog

Electronic medical records provide a multitude of benefits for providers and patients by promoting efficient record access, cost savings and better patient care. So what’s the down side?

Well, for starters, these records are ripe for hacking and inadvertent disclosures. As mentioned in a previous post, health care fraud has reached new heights by and through the theft of personal and medical information. Left in the wrong hands, the sensitive information contained in these computerized records could unleash a fraud firestorm.

Historically, medical providers have successfully defended against claims brought by plaintiffs whose information was hacked or otherwise improperly accessed by relying upon the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) which expressly provides that there is no private right of action under HIPAA. This success may be short lived as the number of hackers has increased and some courts, like Connecticut’s Supreme Court, have indicated a willingness to allow plaintiffs to bring claims for negligence and privacy violations against providers under state law.

HIPAA Standard of Care


In Byrne v. Avery Ctr. For Obstetrics & Gynecology, 314 Conn. 433 (2013), a health center produced a patient’s protected health information (PHI) in response to a subpoena without notifying the patient and without taking any steps to protect it from disclosure in violation of HIPAA’s guidelines. The aggrieved patient filed an action against the provider for breach of contract, negligence, and negligent infliction of emotional distress.

While noting HIPAA’s language with regard to private rights of action, the Court did not find that limitation dispositive of the negligence claim brought by the patient. The Court hinted that a violation of the standards promulgated under HIPAA may support a deviation from the standard of care required for a negligence claim.

Will New Jersey Follow Connecticut?

Given the proliferation of electronic medical records and the overwhelming amount of paperwork that healthcare providers deal with on a daily basis, the odds of falling victim to a HIPAA breach have markedly increased. New Jersey health care providers should be mindful of the Connecticut case because New Jersey may follow this trend of reviewing HIPAA guidelines as a standard of care that may be considered to support a negligence action.

Problem Prevention

1) Review and update HIPAA policies.

2) Educate staff on the significance of the policies and demand 100% compliance.

3) Develop a process to deal with subpoenas to ensure that the practice is in compliance with all applicable standards under federal and state law.