HIPAA Negligence Claim Allowed by Connecticut Supreme Court

by | Nov 9, 2014

A recent ruling by the Connecticut Supreme Court could allow for an influx of lawsuits from victims of theft and fraud who have had their secured private health information disclosed and have suffered losses or harm due to this.

The case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, was  by the court after a patient’s medical records were given to a third party when explicit instructions were provided not to do so. While this is just one single case, legal experts are now considering how this ruling will apply to data breaches involving millions of potential affected people.

HIPAA violations are examined by the Office for Civil Rights of the Department of Health and Human Services and financial penalties are issued to groups that breach regulations. HIPAA makes no allowance for the private right of action to sue for loss and damage caused by non-compliance issues or data breaches, although a small number of cases have been heard by the courts where HIPAA has been permitted as the Standard of Care in negligence claims.

It was not possible for a victim of a HIPPA violation to submit a lawsuit for the violation of privacy under HIPAA regulations; however Byrne’s negligence claim was heard by the court on the basis that the release of her medical records constituted professional negligence, with the medical center having behaved in a manner contrary to the rules laid down in HIPPA and subsequent amendments to those same rules.

The Supreme Court concurred that the case may involve a breach of generally accepted standards of care and deemed that the case should be heard in a lower court. The case should take place in 2015

By building a case using HIPAA as the ‘standard of care’ that exists to secure the confidentiality of patient medical records, the issue of the privacy breach could be heard by the court as the medical center did not meet that standard of care, was negligent, and harm was caused to the patient as a direct result.

However, in the cases of data breaches, victims could possibly bring a case to court on the same grounds if a certain standard of care has not been met. Healthcare providers as well as business associates may be liable and all HIPAA-covered entities could face lawsuits following security breaches.

It is important to consider that negligence alone is not sufficient cause to file a claim as it must be proven that a lapse or failure to meet a certain standard of care caused loss or damage as a direct result. Without an injury or loss there is no valid claim for damages. Class action lawsuits against healthcare companies have not been heard as it has not been possible to establish that any harm, loss or damage had actually happened.

In the case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, the patient, Emily Byrne, foundd that she was pregnant and contacted the medical center and gave specific instructions not to divulge this information to the father of her unborn child as she had ended the relationship and did not want him to know.

Emily exercised her privacy rights under HIPAA as she was permitted to; however, the medical center issued the medical records to the alleged father of the child after receiving a subpoena. It did not alert Byrne that the data was being released to the person, nor did it seek legal advice from the courts on the issue.

After the information was received, the father of the child conducted a campaign of “harm, ridicule, embarrassment and extortion”. The harm caused by this campaign could have been prevented were it not for the HIPAA violation and disclosure of her medical records.

While the medical center had to react to the subpoena, if Byrne had been warned she could have taken legal action herself. By failing to advise their patient of the release of her medical records it is claimed there has been a failure in a standard of care and that the center should have made contact with the patient or her legal representative after receiving the subpoena.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy