A recent decision from the Connecticut Supreme Court holds that HIPAA does not preempt state law negligence actions, and suggests state courts can look to federal HIPAA regulations as a guide to define their own negligence standards, according to an article from Mayer Brown.
The decision stems from Byrne v. Avery Center for Obstetrics & Gynecology. The plaintiff of the case received treatment from the OB/GYN center, whose privacy policy agrees to not disclose health information without patients' authorization. The father of the plaintiff's child filed paternity actions, which included a subpoena. The OB/GYN center complied and sent the medical records to the family law court without telling the plaintiff. The father of the plaintiff's child reviewed the records and allegedly harassed and threatened the plaintiff, according to the report.
The plaintiff then sued the OB/GYN center for statutory negligence, common law negligence and negligent infliction of emotional distress, according to the report.
The trial court dismissed the claims, saying the state's statute allowing the disclosure of protected medical records via subpoena is "both contrary to and less stringent than HIPAA and therefore superseded by HIPAA," according to the report.
However, the Connecticut Supreme Court reversed the decision, saying that HIPAA does not preempt state law negligence actions for patient confidentiality concerns, and that instead state laws are complementary to or more stringent than HIPAA, according to the report.
The Connecticut Supreme Court said, "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" for states determining state law negligence, according to the report.
The report notes this ruling only applies in HIPAA contexts and in the following states: Connecticut, North Carolina, Kentucky, Delaware and Maine.
More articles on HIPAA:
5 keys to consider when storing and transferring medical images
Sony says employees' 'HIPAA-protected health information' may be compromised
Alaskan mental health facility fined $150k for failing to safeguard patient data