A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C.,1 should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.
While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise. 2  More specifically, addressing the state statutory negligence claim, the court wrote that "[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA." Similarly, the trial court opined that if "common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule" and "[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply." The court further ruled that insofar as the doctrine of negligent infliction of emotional distress "permits a private right of action for HIPAA claims" it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court's decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not "contrary" to HIPAA, but either complementary or "more stringent." 3  Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" in state-law negligence actions.4  In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.5 

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrne assumed, without holding, that Connecticut's common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become "common practice" for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


Endnotes:

1 314 Conn. 433 (Conn. 2014).
2 See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., No. CV07 600 16 33 S, slip op. at 18-27(Conn. Super. Ct. April 7, 2011).
3 See Byrne, 314 Conn. 433, 446-58; see also R.K. v. St. Mary's Med. Ctr., Inc., 735 S.E.2d 715 (W. Va. 2012); Yath v. Fairview Clinics, N.P., 767 N.W.2d (Minn. Ct. App. 2009). 
4 See Bonney v. Stephens Mem. Hosp., 17 A.3d 123 (Me. 2011); Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812 (Del. Super. Ct. 2009); Young v. Carran, 289 S.W.3d 586 (Ky. Ct. App. 2008); Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006).
5 See I.S. v. Wash. Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at *5 (M.D. Mo. June 14, 2011); Harmon v. Maury County, No. 1:05 CV 0026, 2005 WL 2133697, at *4  (M.D. Tenn. Aug. 31, 2005).

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2014. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.