A recent ruling by the Connecticut Supreme Court could allow for an influx of lawsuits from victims of theft and fraud who have had their secured private health information disclosed and have suffered losses or harm due to this.
The case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, was by the court after a patient’s medical records were given to a third party when explicit instructions were provided not to do so. While this is just one single case, legal experts are now considering how this ruling will apply to data breaches involving millions of potential affected people.
HIPAA violations are examined by the Office for Civil Rights of the Department of Health and Human Services and financial penalties are issued to groups that breach regulations. HIPAA makes no allowance for the private right of action to sue for loss and damage caused by non-compliance issues or data breaches, although a small number of cases have been heard by the courts where HIPAA has been permitted as the Standard of Care in negligence claims.
It was not possible for a victim of a HIPPA violation to submit a lawsuit for the violation of privacy under HIPAA regulations; however Byrne’s negligence claim was heard by the court on the basis that the release of her medical records constituted professional negligence, with the medical center having behaved in a manner contrary to the rules laid down in HIPPA and subsequent amendments to those same rules.
The Supreme Court concurred that the case may involve a breach of generally accepted standards of care and deemed that the case should be heard in a lower court. The case should take place in 2015
By building a case using HIPAA as the ‘standard of care’ that exists to secure the confidentiality of patient medical records, the issue of the privacy breach could be heard by the court as the medical center did not meet that standard of care, was negligent, and harm was caused to the patient as a direct result.
However, in the cases of data breaches, victims could possibly bring a case to court on the same grounds if a certain standard of care has not been met. Healthcare providers as well as business associates may be liable and all HIPAA-covered entities could face lawsuits following security breaches.
It is important to consider that negligence alone is not sufficient cause to file a claim as it must be proven that a lapse or failure to meet a certain standard of care caused loss or damage as a direct result. Without an injury or loss there is no valid claim for damages. Class action lawsuits against healthcare companies have not been heard as it has not been possible to establish that any harm, loss or damage had actually happened.
In the case of Emily Byrne vs. Avery Center for Obstetrics and Gynecology, the patient, Emily Byrne, foundd that she was pregnant and contacted the medical center and gave specific instructions not to divulge this information to the father of her unborn child as she had ended the relationship and did not want him to know.
Emily exercised her privacy rights under HIPAA as she was permitted to; however, the medical center issued the medical records to the alleged father of the child after receiving a subpoena. It did not alert Byrne that the data was being released to the person, nor did it seek legal advice from the courts on the issue.
After the information was received, the father of the child conducted a campaign of “harm, ridicule, embarrassment and extortion”. The harm caused by this campaign could have been prevented were it not for the HIPAA violation and disclosure of her medical records.
While the medical center had to react to the subpoena, if Byrne had been warned she could have taken legal action herself. By failing to advise their patient of the release of her medical records it is claimed there has been a failure in a standard of care and that the center should have made contact with the patient or her legal representative after receiving the subpoena.