HIPAA allows states to recognize cause of action for breach of confidentiality
The list of liability risks for physicians continues to increase. On behalf of the Medical Liability Committee, this article presents new risks via highlights from a recent discussion with Jeannine M. Foran, BSN, JD, a Connecticut healthcare attorney who leads the Health Care Practice Advisory Group at Heidell, Pittoni, Murphy & Bach, LLP, in Bridgeport, Conn.
Dr. Marks: What is the latest liability risk that physicians should be concerned about?
Ms. Foran: Liability risks are generally local; however, when a risk is identified in one state, it may not be long before it occurs in other states. The Connecticut Supreme Court, forsaking long-standing precedent, now joins many other states in recognizing a cause of action for breach of confidentiality. In Byrne v. Avery Center for Obstetrics and Gynecology, PC, the Supreme Court held that physicians may be sued for negligence and negligent infliction of emotional distress caused by unauthorized disclosures of medical information. In the underlying case, the defendant healthcare provider received a subpoena instructing the custodian of the records to appear together with the patient’s medical records at the court. The patient had not provided an authorization for the disclosure. The defendant did not alert the patient to the subpoena, did not move to quash the subpoena, and mailed the records to the court. The Supreme Court found that the defendant failed to comply with the subpoena by mailing the records rather than appearing in person with the records and failing to provide adequate notice to the patient of the request.
Dr. Marks: This sounds distressful. However, it does appear to be a garden variety HIPAA breach. How is this new?
Ms. Foran: It is a new cause of action, not just a HIPAA breach. The Supreme Court concluded “a duty of confidentiality arises from the physician-patient relationship, and that unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against a healthcare provider, unless the disclosure is otherwise allowed by law.” In so holding, the Court rejected the ruling of the trial court, which had held that HIPAA preempted a private cause of action and common law claims of negligence, and relegated alleged HIPAA violations to administrative remedies.
Dr. Marks: Why does this create a new risk?
Ms. Foran: This case highlights the risk inherent in handling subpoenas and providing disclosures to third parties, as well as the importance of compliance with policies and procedures, and the required processes of HIPAA relative to disclosure to third parties.
Dr. Marks: What general recommendations should physicians heed?
Ms. Foran: First, physicians should always require a patient or patient representative authorization before releasing records. If the patient is unable to comply, then a court order is needed. The key is strict compliance with the court order. If the court order says “mail the record to the third floor room 106 at the courthouse,” physicians must do exactly that. Don’t drop them off; don’t send someone with the records. For an attorney subpoena, it’s somewhat up to local law, but by and large there is no such thing. An attorney subpoena is not a court order. An attorney subpoena requires an authorization. The bottom line is that for the infrequent circumstances when there is no authorization or court order, physicians should seek counsel with an attorney.
Dr. Marks: We’ve been counseling physicians to be careful with HIPAA regulations. This new cause of action is disturbing. Is there anything else that you can share?
Ms. Foran: The Appellate Division, State of New York, recently held that physicians may be liable for punitive damages for the “act of altering or destroying medical records in an effort to evade potential medical malpractice liability.” In Gomez v. Mercado, et al, a jury found the physician committed malpractice in her treatment of the infant plaintiff. In the case, the physician admitted that she threw away her handwritten notes after she typed a note into her electronic medical record (EMR), after she received a plaintiff’s attorney letter requesting the records.
The jury originally awarded
$1.2 million, and the New York Appellate Court reduced it to $500,000. The Appellate Court rejected the physician’s contention that punitive damages should not be allowed because the destruction of records did not cause or contribute to the infant’s death. The Appellate Court also rejected the physician’s contention that the destruction of records did not prevent the plaintiff from successfully prosecuting the malpractice claim. In its holding, the Court stated that allowing an award of punitive damages where a physician alters or destroys medical records “will serve to deter medical professionals from engaging in such wrongful conduct, punish medical professionals who engage in such conduct, and express public condemnation of such conduct.”
Dr. Marks: It’s quite apparent that the court was sending a message. What do you recommend?
Ms. Foran: It may sound somewhat proscriptive, but taking the following steps will assist physicians in minimizing their liability risks:
- Confer with the practice’s professional liability carrier to ensure there is appropriate coverage for the various types of risks that are presented professionally.
- Review processes for note-taking outside of an EMR and document destruction policies regarding the same.
- Ensure staff has a strong working knowledge of all elements of HIPAA that relate to the protection and disclosure of patients’ medical records.
- Review current policies and practices regarding and responding to requests for medical records.
- Do not release medical records without a valid authorization in response to attorney subpoenas.
- Review the circumstances under which medical records may be released without the patient’s authorization (e.g., in response to a court order).
- Never discuss a patient with counsel or any individual without appropriate authorization.
- Maintain an audit trail of actions relative to release of medical information.
- Educate staff regarding required elements of a valid authorization to release medical records.
- Audit your processes to ensure compliance with rules, regulations, and your own policies.
Michael R. Marks, MD, MBA, is a member of the AAOS Medical Liability Committee, AAOS Patient Safety Committee, and mentor for the AAOS Communications Skills Mentoring Program. He can be reached at email@example.com.