In spite of all of the data breaches that we see on an almost daily basis, we have seen time and again that the courts have dismissed lawsuits for a variety of reasons. In many cases, the reason is called lack of standing.
Under U.S. Federal law, standing is based on Article III of the U.S. Constitution. Article III requires you have injury in fact to your own legal interests, in other words, you have suffered some sort of actual harm. That only applies to lawsuits filed in Federal court. This is one reason why credit card companies credit you for fraudulent charges, No lost money, no harm, no ability to sue.
But judges have been loosening the definition of actual harm over the last few years in light of all of the breaches.
Now the Connecticut State Supreme Court has ruled that there is a DUTY of confidentiality between doctor and patient and patients may sue in cases of unauthorized disclosure of protected health information or PHI.
In this case, the plaintiff was pregnant and asked the doctor not to release information to the father of the child, whom the plaintiff was no longer in relationship with.
The practice received a subpoena and in response mailed a copy of the patient’s medical records to the court.
Only problem is, that wasn’t what the subpoena told the doctor to do. All it said was that the custodian of the records had to appear before the attorney who requested the subpoena.
HIPAA, which governs the disclosure of medical records, says that records may be disclosed in the case of a subpoena, but only if the patient has received adequate notice or a qualified protective order has been issued.
The doctor did none of these things.
Other state courts are also wrestling with these issues.
So now, at least in Connecticut, patients have an expectation of privacy in their medical records and if doctors and hospitals don’t take that expectation seriously enough, patients do have the ability to sue.
It seems to be that the courts are chipping away at this standing conversation, understanding that people are actually being harmed, even if it is not in a measurable, financial way.
While the Connecticut Supreme Court ruling is not binding in any other states, that does not mean that judges won’t be looking at that ruling.
An important note here – this lawsuit is not based on a breach or a hack. This was based on an inappropriate action of a staff member in the doctor’s office. It seems unlikely that if the disclosure was due to a breach that the answer from the court would have been any different, but of course, we don not know.
Information for this post came from Health IT Security.