In a long-awaited decision concerning the confidentiality of medical records and patient privacy, the Connecticut Supreme Court recently concluded that the physician-patient relationship establishes a duty of confidentiality to a patient in Connecticut, and that unauthorized disclosure of confidential information obtained for the purpose of treatment in the course of that relationship gives rise to a cause of action in tort, unless the disclosure is otherwise permitted by law.

In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the Court considered – for a second time – the legal implications arising from the defendant’s mailing of the plaintiff’s medical records in 2005 to a probate court in response to a subpoena without providing notice to the plaintiff, filing a motion to quash the subpoena, or appearing in court as requested under the subpoena. Previously, in 2014 the Court held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) did not preempt state law negligence claims arising from the alleged breach of confidentiality by the defendant in this case, and further that the HIPAA privacy and security standards can inform the applicable standard of care to the extent it is common practice in Connecticut for health care providers to comply with HIPAA. In that decision, the Court expressly reserved judgment as to whether Connecticut law actually recognized a negligence action arising from a health care provider’s alleged breach of its duty of confidentiality to a patient. In this case, the Court was tasked with resolving that question after a trial court subsequently granted summary judgment for the defendants on remand following the Court’s 2014 decision. In granting summary judgment, the trial court explained that no Connecticut court had previously recognized a common-law privilege for physician-patient communications, and that such a determination was better left to the Supreme and Appellate courts or the legislature.

In a unanimous opinion released January 16, 2018, the Court held that Connecticut recognizes a common-law cause of action in tort for a health care provider’s breach of its duty of confidentiality to a patient arising from the physician-patient relationship. Relying in part on its previous decision in this case, the Court determined that “federal law regarding privacy and confidentiality of medical records supports our recognition of a common-law cause of action for breach of the duty of confidentiality of medical records by a health care provider,” and that public policy favored the Court’s recognition of such a cause of action. The Court noted that “a majority of jurisdictions” that have addressed the issue “have recognized a common-law cause of action for breach of the confidentiality of medical records by health care providers.” The Court cited to cases from Massachusetts, New York, New Jersey, South Carolina, Utah, Ohio and Missouri as support for recognizing a cause of action for unauthorized disclosures of confidential medical information in the context of the physician-patient relationship, and noted that “the most common basis for recognizing such a cause of action [in decisions from other jurisdictions] is that health care providers enjoy a special fiduciary relationship with their patients.”

The Court did review decisions from four jurisdictions that have refused to recognize a similar cause of action, but the most recent of those cases was decided in 1982, and the Court determined that “the rationale of these jurisdictions… is not persuasive in Connecticut” in part because Connecticut’s statutory privilege protecting certain communications with health care providers (C.G.S. § 52-146o) established “a broad physician-patient privilege” in the state. The Court also noted that the absence of an express remedy for violation of that statutory privilege did not bar recognition of the common-law cause of action in this case.

Interestingly, in the opinion the Court states that the duty of confidentiality recognized by the court “arises from the physician-patient relationship,” but also states that the cause of action the Court recognizes in this case is viable against “the health care provider” where an unauthorized disclosure is made of information obtained “in the course of” the physician-patient relationship. The Court describes the “dispositive issue” in part as “whether a patient has a civil remedy against a physician,” but describes its findings from other jurisdictions as concerning causes of action for breaches of confidentiality “by health care providers.” Moreover, the statutory privilege cited by the Court in support of its conclusions – C.G.S. § 52-146o – by its terms applies not only to physicians and surgeons, but also to “other licensed health care provider(s).” This framing of the Court’s holding, and varying use of the term “physician” and “health care provider,” thus appears to create some ambiguity as to whether this case opens the door to causes of action against licensed health care providers other than physicians (e.g., nurses) for unauthorized disclosures of confidential medical information not otherwise permitted by law.

Finally, after concluding that Connecticut recognizes a common-law cause of action sounding in tort for unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship, the Court turned to the instant case and reversed the trial court’s granting of summary judgment for the defendant. The Court relied in part on the HIPAA privacy rule’s requirements for responding to a subpoena, noting that “the defendant’s own admissions establish that it did not comply with” those requirements, in determining that a genuine issue of material fact exists as to whether the above-recognized duty of confidentiality was violated due to “the manner in which” the defendant disclosed the plaintiff’s medical records in response to the subpoena in 2005.