Home Courts Trumbull lawyer wins precedent-setting HIPAA case

Trumbull lawyer wins precedent-setting HIPAA case


A groundbreaking legal case involving a former New Canaan resident will change how medical offices go about making sure they are fully compliant with HIPAA statutes — and could lead to numerous other legal actions in the state, according to attorney Bruce Elstein.

Elstein, who resides in Trumbull and is with the firm Goldman Gruder & Woods LLC, which has offices in Trumbull, Norwalk, Greenwich and Tarrytown, New York, in January won a state Supreme Court ruling establishing that patients in Connecticut have the right to sue doctors and other health care providers for the disclosure of their confidential medical records without the patient’s consent.

That it took 12 years — and isn’t over yet — came as a surprise to Elstein.

“I thought it was just a breach of confidentiality case,” he said. “But as we went along, the HIPAA element came into it.”

What would become Byrne v. Avery Center for Obstetrics & Gynecology began in 2004, when Emily Byrne was a patient of the Westport-based OB/GYN that, in accordance with the Health Insurance Portability & Accountability Act of 1996, told her it would not disclose her medical files without her authorization. Byrne expressly told the center not to release her records to her former partner, Andro Mendoza, that year, and relocated to Vermont in 2005.

In May 2005, Mendoza filed paternity actions against Byrne in Connecticut and Vermont and sent the Avery Center a subpoena requesting all of Byrne’s medical records. According to case records, the center did not challenge the subpoena or attempt to minimize disclosure, but mailed the records to the New Haven Regional Children’s Probate Court, where they became publicly available.

It was alleged that, after reviewing the file, Mendoza began to harass Byrne and tried to extort money from her. In September 2005, she filed a motion to seal her medical records, which was granted.

Through Elstein, Byrne sued Avery for negligence, arguing that HIPAA created a standard of care for patient medical records and maintaining that the standard had been violated by the unauthorized release of her records. Byrne lost in the Superior Court, which ruled that private suits such as hers were prevented by federal law.

On appeal, the state Supreme Court agreed that HIPAA established rules for protecting medical records but did not rule on whether Byrne had a right to sue Avery for damages. Byrne was dealt another defeat when the case returned to the trial court, which ruled that there was still no provision in the law that allowed circumvention of the HIPAA prohibition of private suits.

In effect, patients did not have any remedy to seek damages against a doctor’s office or medical practice for wrongful disclosure of private and confidential health information.

On remand, the trial court granted summary judgment to Byrne on the two negligence counts, finding that Connecticut courts had not “recognized or adopted a common-law privilege for communications between a patient and physicians.” And in January of this year, the Connecticut Supreme Court reversed itself, ruling that a physician-patient relationship creates a “duty of confidentiality” and that a health care provider’s “unauthorized disclosure of confidential (medical) information … gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.”

In a decision written by Justice Dennis G. Eveleigh, the court said privacy is at the center of the physician-patient relationship and, without it, patients would be unwilling to be upfront about their conditions. The decision — based on reviews of relevant laws from jurisdictions in South Carolina, Massachusetts and Missouri, among others, as well as of HIPAA’s legislative history — said liability for breaches of confidentiality is consistent with sound medical practice under both state and federal law.

The Supreme Court decision will allow patients to sue any health care provider — not only a medical practice — in Connecticut that they believe has violated their privacy rights, according to Elstein.

“This is not so much about the harm caused to our client,” he said, “but about the need on the part of the provider to understand what HIPAA is about and work to improve their compliance, as well as living up to their responsibility when it comes to confidentiality.”

Many health care office staffers are given a quick run-through of the contents of HIPAA, Elstein added, but fail to be “religious about implementing it. Beyond the legal questions, there are moral and ethical standards that we all believe should be followed.”

The attorney said the Byrne case “isn’t an isolated one,” and that since the January ruling, “I probably get three or four calls a week from other potential clients, a few of which I’ve taken on.”

A decision on monetary damages to be awarded to Byrne is scheduled for next month in Bridgeport state court. Elstein declined to say what amount he and his client would be seeking.


Please enter your comment!
Please enter your name here