In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to a cause of action in tort, unless the disclosure is otherwise permitted by law.
In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the Court considered – for a second time – the legal implications arising from the defendant’s mailing of the plaintiff’s medical records in 2005 to a probate court in response to a subpoena without providing notice to the plaintiff, filing a motion to quash the subpoena, or appearing in court as requested under the subpoena. Previously, in 2014 the Court held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) did not preempt state law negligence claims arising from the alleged breach of confidentiality by the defendant in this case, and further that the HIPAA privacy and security standards can inform the applicable standard of care to the extent it is common practice in Connecticut for health care providers to comply with HIPAA. In that decision, the Court expressly reserved judgment as to whether Connecticut law actually recognized a negligence action arising from a health care provider’s alleged breach of its duty of confidentiality to a patient. In this case, the Court was tasked with resolving that question after a trial court subsequently granted summary judgment for the defendants on remand following the Court’s 2014 decision. In granting summary judgment, the trial court explained that no Connecticut court had previously recognized a common-law privilege for physician-patient communications, and that such a determination was better left to the Supreme and Appellate courts or the legislature.