You've Been Served: What Might Happen When Responding to a Subpoena

by Ron Hedges

Legal consequences flow from the use or abuse of EHR. This monthly column presents examples of what those consequences can be.

Healthcare providers receive and respond to subpoenas on a regular basis. Providers routinely produce personal health information (PHI) when doing so. What might be the consequence for a provider which violates HIPAA when it produces PHI in response to a subpoena? A recent Connecticut Supreme Court decision, Byrne v. Avery Center for Obstetrics and Gynecology, P.C., SC 18904 (Conn. 2014) provides an unsettling answer.

Byrne Case Background

The plaintiff, Emily Byrne, was a party to a Connecticut paternity action arising out of a personal relationship with Andro Mendoza. She had instructed the Avery Center NOT to release her medical records to him. The Avery Center did not notify Byrne when it was subpoenaed in the paternity action for the production of her medical records. Instead, it mailed a copy of Byrne’s records to the court in which the action was pending. Mendoza saw the records and he allegedly harassed and threatened Avery thereafter.

Byrne filed a civil action against the Avery Center because of its compliance with the subpoena and disclosure of the records. She alleged that, among other things, the Avery Center was negligent in failing to use “proper and reasonable care in protecting her medical file.” Her allegation was rooted on the common law of negligence and negligent infliction of emotional distress rather than on HIPAA itself because HIPAA could not be enforced by her directly. The trial court granted summary judgment in favor of the Avery Center, reasoning that Byrne’s negligence and negligent infliction claims were preempted by HIPAA. The Connecticut Supreme Court reversed.

Reasoning for the Byrne Ruling

Preemption is a legal doctrine that, for our purposes, means that a federal law has “so filled the field” that contrary State law-based claims such as those asserted by Byrne cannot be brought. The Supreme Court disagreed:

“[W]e conclude that, if Connecticut’s common law recognizes claims arising from a healthcare provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims. We further conclude that, to the extent it has become the common practice for Connecticut healthcare providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena. The availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate healthcare providers’ compliance with HIPAA. On the contrary, negligence claims in state courts support ‘at least one of HIPAA’s goals by establishing another disincentive to wrongfully disclose a patient’s healthcare record.’” [footnote and citation omitted].

The Supreme Court remanded for further proceedings.

Impact of the Byrne Ruling

To begin, note what the Supreme Court assumed: That claims such as those asserted by Byrne existed under the common law of Connecticut. That assumption will presumably be tested by Byrne and the Avery Center on remand. If the common law does not permit Byrne’s negligence and negligent infliction claims to go forward that will end the action in the Avery Center’s favor. However, even assuming that Byrne’s claims are rejected, courts in other States may well hold to the contrary and allow negligence-based claims to proceed if those courts also reject the preemption argument.

There is more. Assuming that negligence-based claims can proceed, the next question to be addressed is the standard of care to which healthcare providers who fail to protect the confidentiality of medical records will be held. After all, negligence is measured by a failure to comply with a standard of care. The holding of the Avery decision, that HIPAA and its implementing regulations might provide the basis for that standard of care, reinforces the obligation of healthcare providers to review their procedures for responding to subpoenas in ways that are consistent with patient confidentiality.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is currently a writer, lecturer, and consultant on topics related to electronic information.