Utilizing HIPAA as a Basis for State Negligence Actions

December 2014Articles Data Protection Law & Policy

This article was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). Data Protection Law & Policy, launched in 2004, is the monthly law journal dedicated to making sure that businesses and public services alike can find their way through the regulatory and organisational maze of data privacy compliance to reap the rewards of effective, well-regulated and transparent use of data. Visit www.e-comlaw.com for details.


This article discusses the implications of a recent Connecticut Supreme Court opinion that allowed the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a comprehensive United States federal statutory and regulatory scheme governing the privacy and security of patients’ health information, to be used by a plaintiff alleging negligence under state common law. HIPAA, notably, lacks a private right of action and preempts state laws that are “contrary” to HIPAA (except where the state law is “more stringent” than HIPAA in terms of privacy protection). In effect, the Connecticut Supreme Court opens the door for plaintiffs to import federal privacy standards into actions brought in state court alleging privacy violations and seeking remedies under state law.

This landmark decision was handed down in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C., — A.3d —-, 2014 WL 5507439 (2014) (the “Byrne case”), in which the court stated the following:

"Assuming, without deciding, that Connecticut’s common law recognizes a negligence cause of action arising from health care providers’ breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances."

Interestingly, the decision was rendered 20 months after the date that the case was argued before it on March 12, 2013. The passage of that much time may indicate that the Court struggled to break new ground in this area and wanted to consider its opinion with great care. Whatever the basis for the delay, however, there is no doubt that the decision will generate much discussion and commentary, in light of its significant precedential value. The defendant in the Byrne case can theoretically seek review of the case by the Supreme Court of the United States on the grounds that the matter involves a substantial federal question. However, that can be a costly prospect and one that may fail for any number of reasons.

The decision adds the Connecticut Supreme Court to a growing list of lower courts that have found that HIPAA’s lack of a private right of action does not necessarily foreclose action under state statutory and common law using HIPAA requirements as the standard for reasonable care. HIPAA specifically prohibits lawsuits from being brought by individuals -- only the United States Department of Justice and Attorneys General of the various states can bring actions directly authorized by HIPAA seeking damages, penalties or other remedies for violations of HIPAA. The Byrne case, however, has significance, as it appears to be the first decision by the highest court of a state that says that state statutory and judicial causes of action for negligence, including invasion of privacy and infliction of emotional distress, are not necessarily preempted by HIPAA to prohibit individuals from seeking recourse in state courts for breaches of HIPAA that implicate negligence standards under state statutory or case law.

The Byrne case recognizes that HIPAA may be the appropriate standard of care to determine whether negligence is present. Moreover, the principle that HIPAA compliance represents a well-accepted standard of care may apply to other types of state tort actions not directly related to privacy, such as malpractice, where a plaintiff argues that a failure to comply with HIPAA, like a failure to comply with state laws governing physicians or professional codes of conduct, establishes an element of negligence. In addition, as discussed in more detail below, there may be other federal statutory or regulatory standards governing privacy and security of individual health information that apply to conduct not covered by HIPAA and/or conduct that is covered by HIPAA in addition to such other standards. These additional federal statutory or regulatory standards could also be applied as standards of conduct giving rise to individual rights of action under state tort law.

The Byrne Case – Not a “Garden Variety” Breach

The Byrne case is interesting in itself in that it did not involve a “garden variety” type of alleged breach of health information privacy, such as that resulting from a stolen or lost laptop or other handheld device containing protected health information as defined in HIPAA (“PHI”), a hacking incident, unintended posting or disclosure of PHI on an unencrypted Website, or other common source for a privacy breach. This breach related to the alleged attempt of the defendant physician practice group to comply with a state court subpoena and the practice’s resulting violation of HIPAA.

The patient, Emma Byrne, brought an action against her health care provider for improperly breaching the confidentiality of her medical records and alleged claims for negligence and negligent infliction of emotional distress under Connecticut state law. The Court stated that the following facts were undisputed: (1) the defendant physician practice group provided the plaintiff with gynecological and obstetrical care and treatment; (2) the defendant provided its patients, including the plaintiff, with notice of its privacy policy regarding PHI under HIPAA and agreed, based on this policy and on law, that it would not disclose the plaintiff's health information without her authorization; (3) the plaintiff later began a personal relationship with an individual (the “Individual”) that ended five months later, after which time the plaintiff instructed the defendant not to release her medical records to the Individual; (4) thereafter, the defendant was served with a subpoena requesting its presence together with the plaintiff's medical records at a court proceeding; (5) the defendant did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court; (6) the defendant mailed a copy of the plaintiff's medical file to the court; and (7) the Individual informed the plaintiff by telephone that he had reviewed the plaintiff’s medical file in the court file.

The plaintiff filed a motion to seal her medical file, which was granted. The plaintiff alleged that she suffered harassment and extortion threats from the Individual after he viewed her medical records. The plaintiff then sued the defendant, alleging, among other things, that the defendant breached its contract with her when it violated its privacy policy by disclosing her PHI without authorization; the defendant acted negligently by failing to use proper and reasonable care in protecting her medical file and disclosing it without authorization under state statutory law and HIPAA; and the defendant engaged in conduct constituting negligent infliction of emotional distress.

Although the court in the Byrne case held that HIPAA’s lack of a private right of action did not preempt or preclude plaintiff’s ability to bring an action under state law based on defendant’s alleged violations of HIPAA’s privacy standards, the court left unresolved the question of whether HIPAA should simply be used as evidence of the standard of care, or might be used as a “legislatively imposed” standard. In the final footnote in its decision, the court notes: “… whether the particular HIPAA regulations at issue are suitable for use as a legislatively imposed standard of care for purposes of establishing negligence per se is a potentially complex question of law that has not been adequately briefed by the parties herein, and therefore, is one that we need not decide in this appeal.”

Other Federal Statutes and Regulations as Possible Sources of Individual Actions Asserting Claims under State Law

HIPAA is not the sole federal statutory and regulatory scheme governing the privacy and security of information, including information that is PHI under HIPAA. For example, in a complaint filed on August 29, 2013, the Federal Trade Commission (“FTC”) brought an administrative action against LabMD, Inc. on the grounds that the company failed to reasonably protect the security of PHI allegedly found on a peer-to-peer file sharing network in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. 45(a) (“Section 5”) (see www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter ). The action is still pending and has generated an investigation by the United States’ Congressional Committee on Oversight & Government Reform (see http://oversight.house.gov/hearing/federal-trade-commission-section-5-authority-prosecutor-judge-jury-2/ ), but does not involve an alleged violation of HIPAA, nor has the FTC adopted regulations specifically delineating standards of conduct under Section 5.

The FTC also regulates the privacy and security of information contained in personal health records that are not subject to HIPAA jurisdiction pursuant to section 13407 of the American Recovery and Reinvestment Act of 2009, and has adopted a “Health Breach Notification Rule” governing “foreign and domestic vendors of personal health records, PHR [personal health records] related entities, and third party service provider. . . .” 16 C.F.R. 318.1 et seq.

In addition, the Federal Communications Commission recently announced its intention to fine two telecommunications companies for violations of Sections 201(b) and 222(a) of the Communications Act of 1934, as amended, and the FTC rules related to the failure to protect proprietary information (“PI”) such as names, addresses, social security numbers, and driver’s license numbers belonging to low-income Americans that was stored on internet servers. (See www.fcc.gov/document/10m-fine-proposed-against-terracom-and-yourtel-privacy-breaches )

The Byrne case suggests that state courts may look to other federal standards of conduct related to the privacy and security of individually identifiable information (whether PHI, PHR, or PI) as evidence of the standard of care for purposes of bringing an action for negligence or other tort action seeking damages under state law.

Actions that Are Suggested by the Results of the Byrne Case

The Byrne case has important implications for HIPAA matters beyond allowing individuals to do indirectly what they cannot do directly – namely, to sue under state tort law, using a violation of HIPAA regulations as the standard of care. Some actions that a “covered entity” (“CE”) and a “business associate” (“BA”) as defined under HIPAA may consider as responses to the Byrne case include the following:

1. CEs and BAs should consider acquiring sufficient cybersecurity insurance with expanded coverage and limits. Such coverage should not be limited to coverage for HIPAA violations, but should cover any types of losses resulting from a data breach, including a breach of PHI, PHR or PI arising under federal or state law.

2. Business associate agreements (“BAAs”) should be reviewed to see if they include obligations regarding individual health information arising under federal and/or state laws other than HIPAA. BAAs may expose the parties to new liabilities under the principles of the Byrne case.

3. BAAs should be reviewed to see if there is a clear negation of potential third party beneficiary rights under the BAA. For example, while HIPAA specifically excludes individual private rights of action for a breach of HIPAA, a party does not want to run a risk of creating unintentionally a separate contractual private right of action in a BAA in favor of third party individuals under the principles of the Byrne case.

4. BAAs should be reviewed to see if they contain indemnification provisions and, if they do, the extent of their potential liability.

5. CEs and BAs should consider seeking advice from knowledgeable professionals relative to their potential exposure if their states of operations adopt principles similar to those of the Byrne case.

6. Care should also be taken in selecting the applicable state law that governs a BAA in light of continuing developments in the laws regarding privacy and security of individual health information.


Efforts to use HIPAA regulations or other federal statutes and regulations as standards for causes of action under state law involving breaches relating to individual health information can be expected to rise as a result of the Byrne decision. This area will be the source of expanded litigation and uncertainty in jurisdictions around the country unless and until the Supreme Court of the United States renders its opinion on the matter.

45 C.F.R. 160.202 and 203.

This article was first published in Volume 11 Issue 12 of Data Protection Law & Policy (December 2014). Data Protection Law & Policy, launched in 2004, is the monthly law journal dedicated to making sure that businesses and public services alike can find their way through the regulatory and organisational maze of data privacy compliance to reap the rewards of effective, well-regulated and transparent use of data. Visit www.e-comlaw.com for details.