Subpoena Response that Violated HIPAA Costs a CT Healthcare Provider $853,000

Healthcare providers regularly receive subpoenas for medical records.  All too often, providers simply turn over the subpoenaed records without ensuring that the disclosure is permitted by law.  A recent Connecticut appeals court decision, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., upheld a jury award of $853,000 for a healthcare provider’s improper medical record disclosure in response to a subpoena.

Byrne v. Avery Center

Emily Byrne was a patient of Avery Center for Obstetrics and Gynecology, P.C. (the “Avery Center”).  After she learned she was pregnant, she instructed the Avery Center not to disclose any information to her former boyfriend, Andro Mendoza.  Byrne moved to Vermont.  Mendoza filed a paternity suit in Probate Court and subpoenaed the Avery Center for copies of Byrne’s records.

There was no court order or HIPAA-compliant authorization with the subpoena and the Avery Center did not make any other effort to ensure that it could properly disclose the records under HIPAA.  Rather, the Avery Center just mailed copies of the records to the court.  Unfortunately, the court clerk placed the records in the court’s public file allowing Mendoza (and potentially others) to access the records.  Byrne claimed that Mendoza used the information in those records to harass and threaten her and her family.

Byrne sued the Avery Center.  The Avery Center admitted to violating HIPAA’s rules regarding subpoena response.  It likely did so because HIPAA does not grant a private right of action for someone to sue when there has been a violation.

The case went to the State Supreme Court twice.  In 2014, the Court concluded that while there is no private right of action under HIPAA, failing to meet the standards under HIPAA can be used to establish a breach of a standard of care in a negligence action.  Four years later, the State Supreme Court officially recognized a cause of action for negligent disclosure of confidential information obtained during the treatment relationship unless the disclosure is permitted by law.

The case went back to the trial court and, at the end of 2018, a jury awarded Byrne $853,000 for the Avery Center’s negligent disclosure of the records.  The recent appeals court decision concluded that the fact that the Probate Court clerk improperly placed the records in the public file did not absolve the Avery Center from responsibility for its improper disclosure.

The Implications of the Decisions

The 2018 recognition of a cause of action against healthcare providers for negligent disclosure of records caused a major shift.  After the 2018 State Supreme Court decision, healthcare providers can be sued for violating HIPAA under state law.  And the most recent appellate court decision from last week makes clear that a provider is still on the hook even if an intervening party mishandles the records after the initial disclosure.

Subpoenas present a significant risk of liability because an outside party often is attempting to compel the disclosure of records that the patient may not want disclosed.  Therefore, an improper disclosure will almost certainly result in some harm to the patient (e.g., financial, emotional or both).  A patient who suffers harm is likely to sue.  And, under Byrne v. Avery Center, there is a good chance for success if the disclosure violated HIPAA or other laws applicable to the release of the information.

Tips for Avoiding Negligent Disclosure

  1. Providers should have a policy or written guidelines on handling subpoenas.
  2. The person responsible for handling subpoenas should immediately determine the following:
    1. What information is being sought (testimony, records or both)?
    2. What is the timeframe for response/compliance?
    3. Who issued the subpoena? Depending on state law, subpoenas issued by a court or a government agency may need to be treated differently than a subpoena issued by a private attorney.
    4. Is it an out-of-state subpoena? Out-of-state subpoenas may not be effective in another state.
    5. How was the subpoena served? Was it served in-person or received via mail, fax or some other method?   Some state laws require a certain type of service (e.g., in-person service).
    6. Was there a HIPAA-compliant authorization or a court order accompanying the subpoena?
  3. Consider a policy that only permits a disclosure of subpoenaed medical records when the subpoena is accompanied by a HIPAA-compliant authorization from the patient or an order from a court. Permit exceptions only on a limited basis with the Privacy Officer’s approval.  While HIPAA outlines other circumstances under which subpoenaed records may be disclosed, disclosure under those circumstances is not required.
  4. When the subpoena is accompanied by a HIPAA-compliant authorization or a court order, be sure to disclose only the information detailed in the authorization or court order, not the subpoena.
  5. When the subpoena is not accompanied by a HIPAA-compliant authorization or a court order and it is not issued by a state agency or tribunal with authority to direct the disclosure under state law, contact the issuing attorney. If the issuing attorney refuses to provide an authorization or court order and demands compliance, seek the assistance of legal counsel.  The provider may need to file a Motion for Protective Order or take other steps.

Finally, do not send records to a court with an expectation that the court will ensure the protection of the records.  As we learned from Byrne v. Avery Center, the provider remains liable for an improper disclosure even if the court inappropriately makes the records available.