The demand for privacy law expertise continues to increase, as courts and lawmakers wrestle with the issue of what sorts of information are protected under the law, how violations are or should be enforced, what forms of recourse and relief are available to aggrieved parties, and where such relief may be obtained.
The Eleventh Circuit Court of Appeals recently found (Murphy v. Dulay, 11th Court of Appeals, No. 13-14637) that a provision of Florida’s recent tort reform — requiring that a medical malpractice plaintiff execute a written authorization form for release of protected health information—was not preempted by the Health Insurance Portability and Accountability Act (“HIPAA”), a federal statute, and its accompanying regulations. The court noted that the authorization form, required as a pre-condition to filing a medical negligence claim under applicable Florida law, effectively permitted prospective defendant(s) to obtain documents and conduct ex parte interviews of the prospective plaintiff’s medical providers on matters pertinent to the medical negligence claim. The form also requires the release of other information not specifically related to the prospective plaintiff’s medical claims.
The court summarized Florida’s many pre-suit requirements, which include the authorization form. The court examined the Florida statute and compared it with the requirements of HIPAA and the accompanying regulations, noting that the lower court had found a conflict between the two because the authorization, required in order to file a suit on medical malpractice, was not “voluntary.”
The Eleventh Circuit, however, found no conflict or preemption, stating:
The Florida law requires only that a prospective plaintiff act in accordance with a federal provision, exactly as contemplated by Congress and the Secretary who promulgated the regulations, before filing a medical negligence complaint in state court. Conditioning the use of the state courts on compliance with a federal provision (HIPAA) does not conflict with that federal provision (HIPAA).
The Connecticut Supreme Court yesterday issued an opinion (Byrne v. Avery Center for Obstetrics and Gynecology, PC, No. 18904) which directly addressed the issue of whether a plaintiff may avail themselves of state law tort claims as a remedy for HIPAA violations. The court observed that “it is now well-settled that the ‘statutory structure of HIPAA . . . precludes implication of a private right of action.’” The court noted that federal authority provides, instead, for imposition of fines and even imprisonment. The court therefore turned to the to issue before it: whether HIPAA preempts a state law claim sounding in negligence arising from a health care provider’s alleged breach of physician-patient confidentiality in the course of complying with a subpoena.
The court did not address whether Connecticut state law includes a cause of action for loss of privacy within its cause of action for negligence. The court did, however, clearly enunciate that:
the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff’s medical records.
The Connecticut case dealt with a mistake by a medical provider in responding to a subpoena — mailing the plaintiff’s private medical information to the court, where they were filed and made a part of the court record.
These two cases underscore the complexity and continuing evolution of HIPAA law in state and federal courts. The Connecticut case underscores the level of legal sophistication required by health care providers who receive requests for records. The Eleventh Circuit case highlights the impact on privacy that tort reform measures may have on people who assert their claims of medical negligence in Florida.