Healthcare Information Security

HIPAA and Compliance News

CT Supreme Court Rules Patients Can Sue Over PHI Disclosure

The Connecticut Supreme Court established a new legal precedent in the state, ruling that patients can legally sue providers over PHI disclosure.

phi disclosure hipaa violation data security

Source: Thinkstock

By Elizabeth Snell

- There is a duty of confidentiality between a physician and patient, and patients have the right to sue should unauthorized PHI disclosure take place, according to the Connecticut Supreme Court.

In Byrne v. Avery Center for Obstetrics & Gynecology, P.C., the Court reversed the trial court’s judgement, which stated that the healthcare provider in question “owed the plaintiff no common-law duty of confidentiality.”

The plaintiff, Emily Byrne, learned she was pregnant and requested that her provider not release any of her medical information to the father of the child. Byrne was no longer in a relationship with the father. Avery Center then released Byrne’s information when given a subpoena.

“From our review of the record in the present case, it appears that the defendant did not even comply with the face of the subpoena, which required the custodian of records for the defendant to appear in person before the attorney who issued the subpoena,” the Supreme Court decision read. “Instead, the defendant mailed a copy of the plaintiff’s medical records directly to the court.”

The Court noted that HIPAA regulations require certain measures be taken with regard to subpoenas.

READ MORE: NM Supreme Court to Review Alleged HIPAA Violation Case

“Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal,” the Privacy Rule states. “Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.”

However, PHI disclosure can only take place when the patient has received adequate notice of the request or that a qualified protective order has been pursued.

“The defendant’s own admissions establish that it did not comply with this regulation when it responded to the subpoena in the present case,” the Court wrote.

The plaintiff had also claimed “negligence and negligent infliction of emotional distress.” There is a duty of confidentiality in Connecticut common-law, she maintained. Public policy considerations further support this recognition.

“Recognizing a cause of action for the breach of the duty of confidentiality in the physician-patient relationship by the disclosure of medical information is not barred by § 52-146o or HIPAA and that public policy, as viewed in a majority of other jurisdictions that have addressed the issue, supports that recognition,” the Court explained.

READ MORE: Kentucky HIPAA Violation Case Ruling Held by Appeals Court

The physician-patient confidentiality is a privilege, the decision added. When that confidentiality is diminished in any way, it can potentially affect how the physician is able to delivery proper care.

“‘The purpose of the privilege is to give the patient an incentive to make full disclosure to a physician in order to obtain effective treatment free from the embarrassment and invasion of privacy which could result from a doctor’s testimony,’” the Court explained, citing a previous case.

The Appellate Court has also “recognized the fiduciary nature of the physician-patient relationship, which is based on trust and confidence that develops as medical service is provided.”

Furthermore, other court cases have recognized the importance of physician-patient confidentiality.

“‘Notwithstanding the concern that application of the patient-physician privilege may bar the admissibility of probative testimony, there is a clear recognition that, in general, a physician does have a professional obligation to maintain the confidentiality of his patient’s communications,’” the Court wrote, quoting Stempler v. Speidell. “‘This obligation to preserve confidentiality is recognized as part of the Hippocratic Oath.’”

READ MORE: Judge Says HIPAA Regulations Do Not Apply in Organ Donor Case

Byrne v. Avery Center for Obstetrics & Gynecology, P.C. was first brought to the state Supreme Court in 2014. That ruling also stated that patients can sue a provider for HIPAA negligence if it violates regulations dictating how healthcare organizations must maintain patient confidentiality.

“Before this ruling, individuals could not file a lawsuit claiming violation of their privacy under the (Health Insurance Portability and Accountability Act of 1996) regulations,” Trumbull lawyer Bruce Elstein previously told the Connecticut Post. “It was for that reason that we filed a negligence claim, claiming the medical office was negligent when it released confidential medical records contrary to the requirements set forth in the regulations.”

Patient privacy concerns with legal or illegal searches was also an issue in a case presented to the California Supreme Court in 2017.

In that case, Dr. Alwin Carl Lewis claimed that patient privacy was violated after a government agency obtained an individual’s prescription records without a warrant. Lewis had recommended a diet plan for a prospective patient. The patient thought the proposal was “unhealthful” and filed a complaint to the Medical Board. The Board obtained Controlled Substance Utilization Review and Evaluation System (CURES) reports on Lewis.

“With all the data that is being gathered about people – and this is health data, the most private data most deserving of protection – this data cannot be accessed willy-nilly,” Los Angeles attorney Henry Fenton said during the Supreme Court hearing, according to Courthouse News Service. “There has to be proper cause for them to do it.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...