Heck yes. In Connecticut a patient can sue your doctor’s office for disclosing medical records. Connecticut healthcare providers might have to pay a lot in damages if the patient did not authorize you to disclose her records.
Yale New Haven just disclosed a breach of its radiology files. “YNHH learned that a web file containing patient information was inadvertently made accessible via our website.”
This is a perfect entre to the topic at hand. I am sure Yale, which has some very good lawyers, is following the rules concerning a cyberattack or breach. I’ve written about that here and will be updating that soon with some recent privacy laws in Connecticut. Violation of privacy laws can lead to an unfair trade practice violation.
Healthcare providers, doctor’s offices, dentists, chiropractors, physical therapists. The list goes on. You have to protect patient information. And have a written policy which can protect you from paying punitive damages for an unauthorized disclosure.
Patient Wins Over $800,000 for Medical Records Disclosure
In a recent decision that you can read here, Connecticut’s appellate court upheld a jury verdict that awarded a woman over $800,000 in a lawsuit against her OBGYN healthcare provider. Her OBGYN had responded to a subpoena by simply sending her medical records to probate court. The Court put them in the public file of a paternity proceeding the woman’s ex-husband had filed against her. The information, highly sensitive and personal, was now public.
Why Is This Case About Medical Records Disclosure Important?
This case is important for many reasons, not only because it shows how a patient can sue a doctor’s office for disclosing medical records. For one, it is over 15 years old and has made its way through the courts twice already. The first time, the Connecticut Supreme Court determined that HIPAA does not allow someone to bring a lawsuit against a doctor who violates HIPAA. But the Court also held that HIPAA and other privacy laws still form the standards or guidelines for whether a medical practice is negligent in protecting a patient’s records. Since that decision, Connecticut has decided to allow patients to sue providers in negligence for not protecting their confidential information. Negligence basically means you don’t act in a way that reasonable people should and your actions harm someone.
Another reason it is important is because it involved a doctor’s office responding to a lawfully issued subpoena. Seems like that’s okay to follow, right? No. Physician’s offices need to protect themselves and their practice by requiring a HIPAA compliant authorization before releasing records. Or, the doctor’s office can have its attorney draft a form letter that says it is willing to produce the records but only subject to a court order or protective order.
Physician’s offices of course, but all healthcare providers, and a wide range of organizations must protect medical information and any PII (personally identifiable information). And they need to have specific, clear policies in place, distribute and update them. More importantly, audit the compliance with those policies.
A Subpoena Can be Defective and a Trap for Unauthorized Medical Records Disclosure
Too many lawyers try to skirt the rules and get a hold of information like this to use in lawsuits. And physician practices need to be aware of the risks that come with producing records in response to what appears to be lawfully issued process. Have a policy in place that requires someone to review the subpoena for compliance with the rules, check for an authorization and even alert the patient. Even better, hire an attorney to file a motion for protective order before producing the records. After this case, I think its a good idea to do everything you can to protect your patients and your practice.
Check your policies now. Rewrite them if necessary. And train, train, train and audit, audit, audit.