My partner Elizabeth Litten and I were recently interviewed for an article entitled “Connecticut ‘opens floodgates’ for HIPAA litigation” published in “Privacy this Week” by DataGuidance. The full text of the article can be found in the November 13, 2014 issue of “Privacy this Week,” but a discussion of the article is set forth below.

On November 11, 2013, the Connecticut Supreme Court ruled in the case of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. that (i) an action for negligence arising from a health care provider’s breach of patient privacy is not preempted by the HIPAA statute and regulations, which do not permit a private right of action to be brought by an individual under HIPAA, and (ii) HIPAA regulations may well inform the applicable standard of care in certain circumstances. Elizabeth and I have previously posted blog entries respecting the Byrne case that may be read here and here, respectively.

Elizabeth pointed out, “The precedents this case sets may have exponential repercussions and may twist the decision in extreme illogical directions.”

I observed that the Byrne case may have opened the floodgates of litigation because the decision may have established a new level of punishment that is not present under the federal HIPAA law itself.  Just consider the liability a doctor could incur if he or she mistakenly leaves a document with personal health data on the wrong nurse station desk. If, for example, someone improperly accesses that information and uploads the data to the Internet, we have a data breach under HIPAA standards – which in turn may be an act of negligence under state tort or malpractice law with liability to the doctor under the principles of the Byrne case.

Elizabeth also stated that there is fear that some of the things HIPAA tries to regulate, such as transparency in data breaches, may be undermined. If individuals can resort to state law to seek compensation for data breaches, companies may see benefits in not complying with the transparency finality of HIPAA. “Furthermore there are many other federal standards with implications in data protection, such as the Family Educational Rights and Privacy Act (FERPA), that could follow the case of HIPAA,” Elizabeth noted.

I added my view that it would not be surprising if HIPAA is taken to the United States Supreme Court to delimit its preemption scope. We certainly haven’t seen the end of it.  The Connecticut case may provide a new avenue for an individual plaintiff to sue for a health data breach under state law by using HIPAA indirectly when he or she cannot sue under HIPAA itself directly.  This blog will continue to follow the Byrne case and other cases involving HIPAA and other federal and state law interactions and potential conflicts.