Summary
recognizing a tort cause of action for patients against health care providers who, without authority to do so, disclose confidential information obtained in the course of the physician-patient relationship
Summary of this case from Stein v. NeedleOpinion
SC 19873
01-16-2018
Emily BYRNE v. AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C.
Bruce L. Elstein, for the appellant (plaintiff). James F. Biondo, for the appellee (defendant).
Bruce L. Elstein, for the appellant (plaintiff).
James F. Biondo, for the appellee (defendant).
Rogers, C.J., and Palmer, Eveleigh, McDonald, Robinson and D'Auria, Js.
The listing of justices reflects their seniority status on this court as of the date of oral argument.
EVELEIGH, J. The plaintiff, Emily Byrne, appeals from the judgment of the trial court rendered in favor of the defendant, Avery Center for Obstetrics and Gynecology, P.C., on two counts of the operative complaint alleging, respectively, negligence and negligent infliction of emotional distress. On appeal, the plaintiff asserts that the trial court incorrectly granted summary judgment in favor of the defendant on these counts because it incorrectly concluded that the defendant, as a health care provider, owed the plaintiff no common-law duty of confidentiality. We agree with the plaintiff and, accordingly, reverse the judgment of the trial court.
We note that Byrne filed a petition for bankruptcy and that Douglas J. Wolinsky, the trustee subsequently appointed by United States Bankruptcy Court for the District of Vermont, was added as a plaintiff in the present case. See Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , 314 Conn. 433, 436 n.2, 102 A.3d 32 (2014). For the sake of convenience, we refer to Byrne as the plaintiff in this opinion.
We note that the trial court's partial award of summary judgment in the present case would not ordinarily constitute a final judgment for the purpose of appeal. Kelly v. New Haven , 275 Conn. 580, 594, 881 A.2d 978 (2005). The plaintiff has, however, obtained permission to appeal from the trial court's decision to the Appellate Court pursuant to Practice Book § 61–4. This appeal was subsequently transferred to this court pursuant to General Statutes § 51–199 (c) and Practice Book § 65–1.
This case returns to us for a second time. The facts and procedural history are set forth in this court's prior decision. See Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , 314 Conn. 433, 436–44, 102 A.3d 32 (2014). "Before July 12, 2005, the defendant provided the plaintiff [with] gynecological and obstetrical care and treatment. The defendant provided its patients, including the plaintiff, with notice of its privacy policy regarding protected health information and agreed, based on this policy and on law, that it would not disclose the plaintiff's health information without her authorization.
"In May, 2004, the plaintiff began a personal relationship with Andro Mendoza, which lasted until September, 2004. ... In October, 2004, she instructed the defendant not to release her medical records to Mendoza. In March, 2005, she moved from Connecticut to Vermont where she presently lives. On May 31, 2005, Mendoza filed paternity actions against the plaintiff in Connecticut and Vermont." (Footnote in original; internal quotation marks omitted.) Id., at 437, 102 A.3d 32. Thereafter, the defendant received a subpoena instructing the custodian of its records to appear before the issuing attorney on July 8, 2005, at the New Haven Regional Children's Probate Court and to produce "all medical records" pertaining to the plaintiff. "The defendant did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff's medical file to the court around July 12, 2005. In September, 2005, [Mendoza] informed [the] plaintiff by telephone that he reviewed [the] plaintiff's medical [record] in the court file. On September 15, 2005, the plaintiff filed a motion to seal her medical file, which was granted. The plaintiff alleges that she suffered harassment and extortion threats from Mendoza since he viewed her medical records. ...
"We note that the operative complaint in the present case alleges that the plaintiff discovered she was pregnant around the same time she terminated her relationship with Mendoza." Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 437 n.4, 102 A.3d 32.
"We also note that, according to the operative complaint, Mendoza has utilized the information contained within these records to file numerous civil actions, including paternity and visitation actions, against the plaintiff, her attorney, her father and her father's employer, and to threaten her with criminal charges." Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 437 n.5, 102 A.3d 32.
"The plaintiff subsequently brought this action against the defendant. Specifically, the operative complaint in the present case alleges that the defendant: (1) breached its contract with her when it violated its privacy policy by disclosing her protected health information without authorization; (2) acted negligently by failing to use proper and reasonable care in protecting her medical file, including disclosing it without authorization in violation of General Statutes § 52–146o and the [federal] regulations implementing [the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq. ], (3) made a negligent misrepresentation, upon which the plaintiff relied to her detriment, that her medical file and the privacy of her health information would be protected in accordance with the law; and (4) engaged in conduct constituting negligent infliction of emotional distress. After discovery, the parties filed cross motions for summary judgment." (Footnotes altered; internal quotation marks omitted.) Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 437–39, 102 A.3d 32.
General Statutes § 52–146o provides: "(a) Except as provided in sections 52–146c to 52–146j, inclusive, sections 52–146p, 52–146q and 52–146s, and subsection (b) of this section, in any civil action or any proceeding preliminary thereto or in any probate, legislative or administrative proceeding, a physician or surgeon, licensed pursuant to section 20–9, or other licensed health care provider, shall not disclose (1) any communication made to him or her by, or any information obtained by him or her from, a patient or the conservator or guardian of a patient with respect to any actual or supposed physical or mental disease or disorder, or (2) any information obtained by personal examination of a patient, unless the patient or that patient's authorized representative explicitly consents to such disclosure.
"(b) Consent of the patient or the patient's authorized representative shall not be required for the disclosure of such communication or information (1) pursuant to any statute or regulation of any state agency or the rules of court, (2) by a physician, surgeon or other licensed health care provider against whom a claim has been made, or there is a reasonable belief will be made, in such action or proceeding, to the physician's, surgeon's or other licensed health care provider's attorney or professional liability insurer or such insurer's agent for use in the defense of such action or proceeding, (3) to the Commissioner of Public Health for records of a patient of a physician, surgeon or health care provider in connection with an investigation of a complaint, if such records are related to the complaint, or (4) if child abuse, abuse of an elderly individual, abuse of an individual who is physically disabled or incompetent or abuse of an individual with intellectual disability is known or in good faith suspected."
We note that the legislature made certain technical changes to § 52–146o subsequent to the events underlying the present appeal. See, e.g., Public Acts 2013, No. 13–208, § 63. For the sake of simplicity, all references to § 52–146o within this opinion are to the current revision of the statute.
"With respect to the plaintiff's negligence based claims in counts two and four of the complaint, the trial court agreed with the defendant's contention that 'HIPAA preempts "any action dealing with confidentiality/privacy of medical information,' " which prompted the court to treat the summary judgment motion as one seeking dismissal for lack of subject matter jurisdiction. In its memorandum of decision, the trial court first considered the plaintiff's negligence claims founded on the violations of the regulations implementing HIPAA. The court first observed the 'well settled' proposition that HIPAA does not create a private right of action, requiring claims of violations instead to be raised through ... administrative channels. The trial court then relied on Fisher v. Yale University , Superior Court, judicial district of New Haven, Complex Litigation Docket, Docket No. X10–CV–04–4003207–S, 2006 WL 1075035 (April 3, 2006), and Meade v. Orthopedic Associates of Windham County , Superior Court, judicial district of Windham, Docket No. CV–06–4005043–S, 2007 WL 4755001 (December 27, 2007), and rejected the plaintiff's claim that she had not utilized HIPAA as the basis of her cause of action, but rather, relied on it as ' "evidence of the appropriate standard of care" for claims brought under state law, namely, negligence.' Emphasizing that the courts cannot supply a private right of action that the legislature intentionally had omitted, the trial court noted that the 'plaintiff has labeled her claims as negligence claims, but this does not change their essential nature. They are HIPAA claims.' The trial court further determined that the plaintiff's statutory negligence claims founded on a violation of § 52–146o were similarly preempted because the state statute had been superseded by HIPAA, and thus the plaintiff's state statutory claim 'amount[ed] to a claim for a HIPAA violation, a claim for which there is no private right of action.'
"The trial court concluded similarly with respect to the plaintiff's common-law negligence claims, observing that, under the regulatory definitions implementing HIPAA's preemption provision ... to 'the extent that common-law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule. Because it is not more stringent, according to the definition of 45 C.F.R. § 160.202, the preemption exception does not apply.' For the same reasons, the trial court dismissed count four of the complaint, claiming negligent infliction of emotional distress. "With respect to the remainder of the pending motions, the trial court first denied, on the basis of its previous preemption determinations, the plaintiff's motion for summary judgment, which had claimed that the defendant's conduct in responding to the subpoena violated the HIPAA regulations, specifically 45 C.F.R. § 164.512 (e), as a matter of law. The trial court denied, however, the defendant's motion for summary judgment with respect to the remaining counts of the complaint, namely, count one alleging breach of contract and count three alleging negligent misrepresentation, determining that genuine issues of material fact existed with respect to contract formation through the defendant's privacy policy, and whether the plaintiff had received and relied upon that policy. Thus, the trial court denied the defendant's motion for summary judgment as to counts one and three of the complaint, and dismissed counts two and four of the complaint for lack of subject matter jurisdiction." (Citations omitted; footnotes added and omitted.) Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 439–44, 102 A.3d 32.
Title 45 of the Code of Federal Regulations (2016), § 160.202, implement's HIPPA's preemption provision, 42 U.S.C. § 1320d–7, and provides: "For purposes of this subpart, the following terms have the following meanings:
"Contrary , when used to compare a provision of [s]tate law to a standard, requirement, or implementation specification adopted under this subchapter, means:
"(1) A covered entity or business associate would find it impossible to comply with both the [s]tate and [f]ederal requirements; or
"(2) The provision of [s]tate law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of Public Law 104–191, or sections 13400–13424 of Public Law 111–5, as applicable.
"More stringent means, in the context of a comparison of a provision of [s]tate law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a [s]tate law that meets one or more of the following criteria:
"(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:
"(i) Required by the Secretary in connection with determining whether a covered entity or business associate is in compliance with this subchapter; or
"(ii) To the individual who is the subject of the individually identifiable health information.
"(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.
"(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.
"(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.
"(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.
"(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
"Relates to the privacy of individually identifiable health information means, with respect to a [s]tate law, that the [s]tate law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.
"State law means a constitution, statute, regulation, rule, common law, or other [s]tate action having the force and effect of law." (Emphasis in original.)
Thereafter, pursuant to Practice Book § 61–4, the plaintiff obtained permission to file an appeal from the judgment of the trial court dismissing counts two and four of the complaint to the Appellate Court. The appeal was subsequently transferred to this court pursuant to General Statutes § 51–199 (c) and Practice Book § 65–1. On appeal to this court, the plaintiff asserted that the trial court improperly concluded that her state law claims for negligence and negligent infliction of emotional distress were preempted by HIPAA. Id., at 436, 102 A.3d 32. In examining the plaintiff's claim, this court explained: "We note at the outset that whether Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality, including in the context of responding to a subpoena, is not an issue presented in this appeal. Thus, assuming, without deciding, that Connecticut's common law recognizes a negligence cause of action arising from health care providers' breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances." (Footnote omitted.) Id., at 446–47, 102 A.3d 32.
This court concluded that, "to the extent that Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA does not preempt the plaintiff's state common-law causes of action for negligence or negligent infliction of emotional distress against the health care providers in this case and, further, that regulations of the Department of Health and Human Services (department) implementing HIPAA may inform the applicable standard of care in certain circumstances." Id., at 436, 102 A.3d 32. Accordingly, this court reversed the judgment of the trial court and remanded the case to that court for further proceedings. Id., at 463, 102 A.3d 32.
On remand, the defendant filed a motion for summary judgment on the counts of the operative complaint alleging negligence and negligent infliction of emotional distress. As grounds for its motion, the defendant claimed that no Connecticut court had ever recognized a common-law cause of action against a health care provider for breach of its duty of confidentiality for its response to a subpoena. The trial court granted the defendant's motion for summary judgment, determining that "no courts in Connecticut, to date, recognized or adopted a common-law privilege for communications between a patient and physicians. Any recognition of this cause of action is best addressed to our Supreme and Appellate Courts or the legislature. Accordingly the motion for summary judgment is granted as to counts two and four of the plaintiff's operative complaint." This appeal followed. See footnote 2 of this opinion.
We begin with general principles and the standard of review. " Practice Book § 17–49 provides that summary judgment shall be rendered forthwith if the pleadings, affidavits and any other proof submitted show that there is no genuine issue as to any material fact and that the moving party is entitled to judgment as a matter of law. In deciding a motion for summary judgment, the trial court must view the evidence in the light most favorable to the nonmoving party.... The party moving for summary judgment has the burden of showing the absence of any genuine issue of material fact and that the party is, therefore, entitled to judgment as a matter of law.... Our review of the trial court's decision to grant the defendant's motion for summary judgment is plenary." (Internal quotation marks omitted.) Bozelko v. Papastavros , 323 Conn. 275, 282, 147 A.3d 1023 (2016) ; see also Arras v. Regional School District No. 14 , 319 Conn. 245, 255, 125 A.3d 172 (2015).
In the present appeal, the plaintiff asserts that the trial court incorrectly granted summary judgment in favor of the defendant on the counts of the operative complaint alleging negligence and negligent infliction of emotional distress. Specifically, the plaintiff asserts that Connecticut's common law recognizes a duty of confidentiality arising from the physician-patient relationship and that this duty extends to compliance with a subpoena. The plaintiff further asserts that recognition of such a duty is supported by public policy considerations, as reflected in § 52–146o and HIPAA, and case law from other jurisdictions. In response, the defendant asserts that there is no common-law duty of confidentiality between a health care provider and a patient in the context of responding to a subpoena. The defendant further asserts that such a duty is not supported by public policy considerations or recognized in other jurisdictions. We conclude that recognizing a cause of action for the breach of the duty of confidentiality in the physician-patient relationship by the disclosure of medical information is not barred by § 52–146o or HIPAA and that public policy, as viewed in a majority of other jurisdictions that have addressed the issue, supports that recognition.
The dispositive issue in this appeal is whether a patient has a civil remedy against a physician if that physician, without the patient's consent, discloses confidential information obtained in the course of the physician-patient relationship. Although we have not had the opportunity to address this question before, this court has recognized that "[t]he principle of confidentiality lies at the heart of the physician-patient relationship ...." Jarmie v. Troncale , 306 Conn. 578, 607, 50 A.3d 802 (2012). "Physician-patient confidentiality is described as a 'privilege.' ... When that confidentiality is diminished to any degree, it necessarily affects the ability of the parties to communicate, which in turn affects the ability of the physician to render proper medical care and advice." Id., at 608–609, 50 A.3d 802. "[T]he purpose of the privilege is to give the patient an incentive to make full disclosure to a physician in order to obtain effective treatment free from the embarrassment and invasion of privacy which could result from a doctor's testimony." State v. White , 169 Conn. 223, 234–35, 363 A.2d 143, cert. denied, 423 U.S. 1025, 96 S.Ct. 469, 46 L.Ed. 2d 399 (1975), citing C. McCormick, Evidence (2d Ed. 1972) § 98, p. 213. Additionally, the Appellate Court has recognized the fiduciary nature of the physician-patient relationship, which is based on trust and confidence that develops as medical service is provided. Rosenfield v. Rogin, Nassau, Caplan, Lassman & Hirtle, LLC , 69 Conn. App. 151, 163, 795 A.2d 572 (2002) ( "There is a marked resemblance between the continuous treatment of a patient's condition by a physician and the continuous representation of a client by an attorney.... In both situations, the relationship between the parties is demarcated by the fiduciary relationship of trust and confidence, which continues to develop as the service is provided." [Citations omitted.] ).
The importance of confidentiality in the physician-patient relationship has been recognized by courts in numerous jurisdictions throughout the country. Courts have repeatedly used the common law to recognize "a patient's valid interest in preserving the confidentiality of medical facts relayed to a physician." Bratt v. International Business Machines Corp. , 392 Mass. 508, 522, 467 N.E.2d 126 (1984). "A patient should be entitled to freely disclose his symptoms and condition to his doctor in order to receive proper treatment without fear that those facts may become public property. Only thus can the purpose of the relationship be fulfilled." Hague v. Williams , 37 N.J. 328, 336, 181 A.2d 345 (1962). "The benefits which inure to the relationship of physician-patient from the denial to a physician of any right to promiscuously disclose such information are self-evident. On the other hand, it is impossible to conceive of any countervailing benefits which would arise by according a physician the right to gossip about a patient's health." Id., at 335–36, 181 A.2d 345. "Notwithstanding the concern that application of the patient-physician privilege may bar the admissibility of probative testimony, there is a clear recognition that, in general, a physician does have a professional obligation to maintain the confidentiality of his patient's communications.... This obligation to preserve confidentiality is recognized as part of the Hippocratic Oath." (Citation omitted.) Stempler v. Speidell , 100 N.J. 368, 375, 495 A.2d 857 (1985).
Indeed, this court has explained that "[t]he principle of confidentiality lies at the heart of the physician-patient relationship and has been recognized by our legislature. [ Section] 52–146o was enacted in 1990; see Public Acts 1990, No. 90–177; to address the need 'to protect the confidentiality of communications in order to foster the free exchange of information from patient to physician ....' " Jarmie v. Troncale , supra, 306 Conn. at 607–608, 50 A.3d 802, quoting Edelstein v. Dept. of Public Health & Addiction Services , 240 Conn. 658, 666, 692 A.2d 803 (1997).
Section 52–146o (a) provides: "Except as provided in sections 52–146c to 52–146j, inclusive, sections 52–146p, 52–146q and 52–146s, and subsection (b) of this section, in any civil action or any proceeding preliminary thereto or in any probate, legislative or administrative proceeding, a physician or surgeon, licensed pursuant to section 20–9, or other licensed health care provider, shall not disclose (1) any communication made to him or her by, or any information obtained by him or her from, a patient or the conservator or guardian of a patient with respect to any actual or supposed physical or mental disease or disorder, or (2) any information obtained by personal examination of a patient, unless the patient or that patient's authorized representative explicitly consents to such disclosure."
Subsection (b) of § 52–146o further provides as follows: "Consent of the patient or the patient's authorized representative shall not be required for the disclosure of such communication or information (1) pursuant to any statute or regulation of any state agency or the rules of court, (2) by a physician, surgeon or other licensed health care provider against whom a claim has been made, or there is a reasonable belief will be made, in such action or proceeding, to the physician's, surgeon's or other licensed health care provider's attorney or professional liability insurer or such insurer's agent for use in the defense of such action or proceeding, (3) to the Commissioner of Public Health for records of a patient of a physician, surgeon or health care provider in connection with an investigation of a complaint, if such records are related to the complaint, or (4) if child abuse, abuse of an elderly individual, abuse of an individual who is physically disabled or incompetent or abuse of an individual with intellectual disability is known or in good faith suspected."
At the outset, we recognize that, although § 52–146o creates an evidentiary privilege arising from the physician-patient relationship, it does not explicitly provide a cause of action or any other remedy for improper disclosure of the confidential communications obtained in the course of that relationship. Contrary to HIPAA, which "expressly provides a method for enforcing its prohibition upon use or disclosure of [an] individual's health information—the punitive imposition of fines and imprisonment for violations"; (internal quotation marks omitted) Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 452, 102 A.3d 32 ; § 52–146o does not provide for any penalty for its violation. "An exhaustive search of Connecticut case law reveals no hard and fast test that courts apply when determining whether to recognize new causes of action. We do have the inherent authority, pursuant to the state constitution, to create new causes of action.... Moreover, it is beyond dispute that we have the power to recognize new tort causes of action, whether derived from a statutory provision or rooted in the common law." (Citation omitted.) ATC Partnership v. Coats North America Consolidated, Inc. , 284 Conn. 537, 552–53, 935 A.2d 115 (2007). "When we acknowledge new causes of action, we also look to see if the judicial sanctions available are so ineffective as to warrant the recognition of a new cause of action.... To determine whether existing remedies are sufficient to compensate those who seek the recognition of a new cause of action, we first analyze the scope and applicability of the current remedies under the facts alleged by the plaintiff.... Finally, we are mindful of growing judicial receptivity to the new cause of action, but we remain acutely aware of relevant statutes and do not ignore the statement of public policy that such statutes represent." (Citations omitted.) Id., at 553, 935 A.2d 115.
We also note that nothing in the legislative history surrounding the enactment of § 52–146o demonstrates that recognition of a cause of action for breach of the physician-patient duty of confidentiality would thwart the purpose of the act. Section 52–146o was enacted in 1990. See Public Acts 1990, No. 90–177 (P.A. 90–177). The statutory language, in its original form, is substantially similar to the current version of § 52–146o. In describing the bill, Senator Richard Blumenthal explained: "This bill would provide protection against disclosure by a health care provider of records and other communications between the patient and physician or other health care provider without the consent of the individual who is being treated. This kind of protection ordinarily exists at present, but in rare circumstances, where the health care provider is approached by an insurance adjuster or a lawyer, on occasion, the records are provided without the consent of the patients. This bill would prevent that kind of disclosure and would codify what now is and should be the existing practice." 33 S. Proc., Pt. 8, 1990 Sess., p. 2620. Representative Janet Polinsky likewise explained that "the bill is designed to insure that patient/doctor confidentiality is maintained and only disclosed pursuant to particular rules when there is a court case going on and not one person [comes] in and [gets] it." 33 H.R. Proc., Pt. 14, 1990 Sess., p. 4860. During a committee hearing on the underlying bill, Attorney Carl Secola remarked that "I think that a very basic tenet of any patient, physician relationship is that there has to be that trust between the patient and the physician so that the patient feels comfortable talking to the physician, telling them whatever's bothering them. It enables the physician to treat the patient properly and I don't think a patient should have to worry about possible consequences later on down the line that someone is going to obtain completely immaterial, irrelevant and most importantly, personal and confidential information that has absolutely nothing to do with that action." Conn. Joint Standing Committee Hearings, Judiciary, Pt. 4, 1990 Sess., p. 1163. We conclude, therefore, that the legislative history of P.A. 90–177 manifests the legislature's intention that the confidentiality of medical records be maintained and protected by a requirement that the health care provider be required to follow a specific procedure prior to disclosing the records. See 33 H.R. Proc., supra, p. 4861, remarks of Representative Edward C. Krawiecki (explaining that "[t]his sets parameters on how you get information").
We begin by examining the currently available judicial sanctions. In Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 433, 102 A.3d 32, this court undertook a thorough analysis of the criminal and civil sanctions provided by HIPAA. "It is by now well settled that the statutory structure of HIPAA ... precludes implication of a private right of action. [Section] 1320d–6 [of title 42 of the United States Code] expressly provides a method for enforcing its prohibition upon use or disclosure of individual's health information—the punitive imposition of fines and imprisonment for violations." (Footnote omitted; internal quotation marks omitted.) Id., at 451–52, 102 A.3d 32. In that case, we further explained that "one commenter during the rulemaking process had raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy." Id., at 453, 102 A.3d 32. "[HIPAA] provides for only two types of penalties: fines and imprisonment. Both types of penalties could be imposed in addition to the same type of penalty imposed by a state law, and should not interfere with the imposition of other types of penalties that may be available under state law. Thus, we think it is unlikely that there would be a conflict between state and federal law in this respect ...." Id., at 453 n.19, 102 A.3d 32, quoting Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462, 82,582 (December 28, 2000).
As explained previously in this opinion, when acknowledging new causes of action, "we are mindful of growing judicial receptivity to the new cause of action, but we remain acutely aware of relevant statutes and do not ignore the statement of public policy that such statutes represent." ATC Partnership v. Coats North America Consolidated, Inc. , supra, 284 Conn. at 553, 935 A.2d 115. Therefore, we next turn to federal law and law from other jurisdictions regarding the duty of health care providers to maintain the confidentiality of medical records.
Federal law regarding the privacy of medical information is codified in HIPAA. As we explained in Byrne , "[r]ecognizing the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems, Congress passed HIPAA in August 1996.... Within the Administrative Simplification section, Congress included another provision ... outlining a two-step process to address the need to afford certain protections to the privacy of health information maintained under HIPAA. First, [Congress] directed [the department] to submit ... within twelve months of HIPAA's enactment detailed recommendations on standards with respect to the privacy of individually identifiable health information.... Second, if Congress did not enact further legislation pursuant to these recommendations within thirty-six months of the enactment of HIPAA, [the department] was to promulgate final regulations containing such standards.... Because Congress ultimately failed to pass any additional legislation, the department's final regulations implementing HIPAA, known collectively as the Privacy Rule, were promulgated in February 2001, with compliance phased in over the next few years." (Citations omitted; internal quotation marks omitted.) Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 448–49, 102 A.3d 32 ; see also South Carolina Medical Assn. v. Thompson , 327 F.3d 346, 348 (4th Cir.), cert. denied, 540 U.S. 981, 124 S.Ct. 464, 157 L.Ed. 2d 371 (2003).
In Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 458–59, 102 A.3d 32, this court "conclude[d] that, if Connecticut's common law recognizes claims arising from a health care provider's alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims. We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients' medical records pursuant to a subpoena." Therefore, this court has previously concluded that recognition of a private cause of action for breach of the duty of confidentiality of medical records is not preempted by, or inconsistent with, HIPAA.
Indeed, this court further explained that "[t]he availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers' compliance with HIPAA. On the contrary, negligence claims in state courts support at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record." (Internal quotation marks omitted.) Id., at 459, 102 A.3d 32 ; see also Yath v. Fairview Clinics, N.P. , 767 N.W.2d 34, 49–50 (Minn. App. 2009) (concluding that state statutory cause of action for improper disclosure of medical records was not preempted by HIPAA because, "[a]lthough the penalties under the two laws differ, compliance with [the Minnesota statute] does not exclude compliance with HIPAA," and "[r]ather than creating an 'obstacle' to HIPAA, [the Minnesota statute] supports at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record"). Therefore, we conclude that the federal law regarding privacy and confidentiality of medical records supports our recognition of a common-law cause of action for breach of the duty of confidentiality of medical records by a health care provider.
Although the question of whether to recognize a common-law cause of action for breach of the duty of confidentiality of medical records by a health care provider is one of first impression in this court, many other jurisdictions have addressed this question. A review of case law from other jurisdictions that have addressed this issue demonstrates that a majority of jurisdictions have recognized a common-law cause of action for breach of the confidentiality of medical records by health care providers. "Although the common law did not bestow a privilege on the doctor-patient relationship and no cause of action existed for divulgence of any confidences, the clear modern consensus of the case law has imposed a legal duty of confidentiality or a fiduciary duty under the common law's continuing power and competence to answer novel questions of law arising under ever changing conditions of the society." (Footnotes omitted; internal quotation marks omitted.) D. Elder, Privacy Torts (2017) § 5:2; see also annot., 48 A.L.R. 4th 668, § 2 (a) (1986) ("Although at common law neither the patient nor the physician has the privilege that a communication of one to the other not be disclosed to a third party, courts have generally upheld or recognized the right of a patient to recover damages from a physician for unauthorized disclosure concerning the patient on the ground that such disclosure constitutes an actionable invasion of the patient's privacy .... Another basis of a physician's liability for unauthorized disclosure of confidential information about a patient is breach of the physician-patient confidential relationship. Although a few jurisdictions have refused to recognize this cause of action ... it generally has been held or recognized that a patient may have such a cause of action against the physician ...." [Footnotes omitted.] ).
In Skrzypiec v. Noonan , 228 Conn. 1, 9, 633 A.2d 716 (1993), this court affirmed the judgment of the trial court in favor of the defendant on a firefighter's claim for negligence and violation of General Statutes (Rev. to 1993) §§ 52–146d and 52–146e against his psychiatrist for improper release of confidential medical information regarding psychiatric treatment. In Skrzypiec , this court affirmed the judgment of the trial court on the ground that the jury could have found that the plaintiff suffered no harm as a result of the alleged breach. Id., at 11, 633 A.2d 716. Therefore, it assumed but did not decide whether the psychiatrist owed the plaintiff a duty to honor his request for confidentiality in the context of a request for disclosure under the Workers' Compensation Act, General Statutes (Rev. to 1987) § 31–294. Id., at 9 n.6, 633 A.2d 716.
A review of cases from other jurisdictions reveals that courts have recognized causes of action for breach of confidentiality of medical records by health care providers on a variety of bases. The most common basis for recognizing such a cause of action is that health care providers enjoy a special fiduciary relationship with their patients and that recognition of the privilege is necessary to ensure that this bond remains.
For instance, the Court of Appeals of New York explained that "in New York, the special relationship akin to a fiduciary bond, which exists between the physician and patient, is reflected in [ N.Y. C.P.L.R. 4504 (McKinney 2007) ]. The basis of the evidentiary privilege is that patients will be forthcoming and encouraged to provide complete data to assist a medical provider in diagnosis and treatment .... An additional motivation for the existence of the privilege is the avoidance of a Hobson's choice for physicians: choosing between honoring their professional obligation with respect to their patients' confidences or their legal duty to testify truthfully. By law and by oath, a physician warrants that any confidential medical information obtained through the relationship will not be released without the patient's permission. The physician-patient relationship thus operates and flourishes in an atmosphere of transcendent trust and confidence and is infused with fiduciary obligations ...." (Citation omitted.) Aufrichtig v. Lowell , 85 N.Y.2d 540, 546, 650 N.E.2d 401, 626 N.Y.S.2d 743 (1995).
Similarly, the Massachusetts Supreme Judicial Court addressed whether a patient has a nonstatutory, civil remedy against a physician for the disclosure of confidential medical information without the patient's consent in Alberts v. Devine , 395 Mass. 59, 479 N.E.2d 113, cert. denied sub nom. Carroll v. Alberts , 474 U.S. 1013, 106 S.Ct. 546, 88 L.Ed. 2d 475 (1985). In that case, the court recognized that "[f]ew cases consider the out-of-court physician-patient privilege. That is undoubtedly due to the fact that the confidentiality of the relationship is a cardinal rule of the medical profession, faithfully adhered to in most instances, and thus has come to be justifiably relied upon by patients seeking advice and treatment.... Of the courts that have considered the question, most have held that a patient can recover damages if the physician violates the duty of confidentiality that plays such a vital role in the physician-patient relationship." (Citation omitted; internal quotation marks omitted.) Id., at 66, 479 N.E.2d 113.
The Massachusetts Supreme Judicial Court reasoned as follows: "We continue to recognize a patient's valid interest in preserving the confidentiality of medical facts communicated to a physician or discovered by the physician through examination. The benefits which inure to the relationship of physician-patient from the denial to a physician of any right to promiscuously disclose such information are self-evident. On the other hand, it is impossible to conceive of any countervailing benefits which would arise by according a physician the right to gossip about a patient's health.... To foster the best interest of the patient and to insure a climate most favorable to a complete recovery, men of medicine have urged that patients be totally frank in their discussions with their physicians. To encourage the desired candor, men of law have formulated a strong policy of confidentiality to assure patients that only they themselves may unlock the doctor's silence in regard to those private disclosures. The result which these joint efforts of the two professions have produced ... has been urged or forecast in una voce by commentators in the field of medical jurisprudence." (Citation omitted; internal quotation marks omitted.) Id., at 65–66, 479 N.E.2d 113.
In considering whether to recognize the new cause of action, the Massachusetts Supreme Judicial Court reasoned as follows: "[T]he [l]egislature has demonstrated its recognition of a policy favoring confidentiality of medical facts by enacting [statutes] to limit the availability of hospital records. Furthermore, [the legislature has also created] an evidentiary privilege as to confidential communications between a psychotherapist and a patient. The fact that no such statutory privilege obtains with respect to physicians generally and their patients ... does not dissuade us from declaring that in this Commonwealth all physicians owe their patients a duty, for violation of which the law provides a remedy, not to disclose without the patient's consent medical information about the patient, except to meet a serious danger to the patient or to others." (Citation omitted.) Id., at 67–68, 479 N.E.2d 113.
In Alberts , the defendant asserted that the plaintiff's claims were barred because there was no Massachusetts precedent recognizing a civil remedy against a health care provider for breach of the duty of confidentiality. Id., at 68, 479 N.E.2d 113. The Massachusetts Supreme Judicial Court recognized that "[i]t is true, as [the defendant] argues, that no Massachusetts case before this one recognizes such a theory of liability. However, as we said in George v. Jordan Marsh Co. , [ 359 Mass. 244, 249, 268 N.E.2d 915 (1971) ], a case in which we recognized for the first time the tort of infliction of emotional distress, '[t]hat is true only because the precise question has never been presented to this court for decision. That argument is therefore no more valid than would be an argument by the plaintiff that there is no record of any Massachusetts law denying recovery on such facts. No litigant is automatically denied relief solely because he presents a question on which there is no Massachusetts judicial precedent. It would indeed be unfortunate, and perhaps disastrous, if we were required to conclude that at some unknown point in the dim and distant past the law solidified in a manner and to an extent which makes it impossible now to answer a question which had not arisen and been answered prior to that point. The courts must, and do, have the continuing power and competence to answer novel questions of law arising under ever changing conditions of the society which the law is intended to serve.' In Smith v. Driscoll , [ 94 Wash. 441, 442, 162 P. 572 (1917) ], although the court found it unnecessary to determine 'whether a cause of action lies in favor of a patient against a physician for wrongfully divulging confidential communications,' the court 'assumed' that 'for so palpable a wrong, the law provides a remedy.' We, too, believe that for so palpable a wrong, the law provides a remedy." Alberts v. Devine , supra, 395 Mass. at 68–69, 479 N.E.2d 113. Accordingly, the Massachusetts Supreme Judicial Court concluded "that a duty of confidentiality arises from the physician-patient relationship and that a violation of that duty, resulting in damages, gives rise to a cause of action sounding in tort against the physician." Id., at 69, 479 N.E.2d 113.
Similarly, the Court of Appeals of South Carolina has also recognized "the [common-law] tort of breach of a physician's duty of confidentiality." McCormick v. England , 328 S.C. 627, 643, 494 S.E.2d 431 (App. 1997). In McCormick , the court explained the fiduciary nature of the physician-patient relationship as follows: "A person who lacks medical training usually must disclose much information to his or her physician which may have a bearing upon diagnosis and treatment. Such disclosures are not totally voluntary; therefore, in order to obtain cooperation, it is expected that the physician will keep such information confidential." Id., at 635, 494 S.E.2d 431 ; see also 61 Am. Jur. 2d 299, Physicians, Surgeons, and Other Healers § 167 (1981) ("[b]eing a fiduciary relationship, mutual trust and confidence are essential").
The Court of Appeals of South Carolina further reasoned that "[t]he belief that physicians should respect the confidences revealed by their patients in the course of treatment is a concept that has its genesis in the Hippocratic Oath, which states in [relevant] part: 'Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge as reckoning that all such should be kept secret.' " McCormick v. England , supra, 328 S.C. at 635, 494 S.E.2d 431, quoting Taber's Cyclopedic Medical Dictionary (17th Ed. 1993), p. 902.
Explaining that "[t]he modern trend recognizes that the confidentiality of the physician-patient relationship is an interest worth protecting," the Court of Appeals of South Carolina concluded that "[a] majority of the jurisdictions faced with the issue have recognized a cause of action against a physician for the unauthorized disclosure of confidential information unless the disclosure is compelled by law or is in the patient's interest or the public interest." McCormick v. England , supra, 328 S.C. at 636, 494 S.E.2d 431.
The Supreme Court of Missouri similarly explained that "[w]e believe a physician has a fiduciary duty of confidentiality not to disclose any medical information received in connection with ... treatment of [a] patient. This duty arises out of a fiduciary relationship that exists between the physician and the patient. If such information is disclosed under circumstances where this duty of confidentiality has not been waived, the patient has a cause of action for damages in tort against the physician. In addition to a physician's legal fiduciary duty, a physician also has a separate ethical duty to maintain the confidentiality of information received from a patient. While the ethical principles may evidence public policy that courts may consider in framing the specific limits of the legal duty of confidentiality, this legal duty is to be distinguished from the ethical duty. The civil action for damages in tort is the sanction that puts teeth into the physician's duty of confidentiality." (Footnote omitted.) Brandt v. Medical Defense Associates , 856 S.W.2d 667, 670–71 (Mo. 1993).
The foregoing cases from other jurisdictions reveal that a majority of jurisdictions that have considered the question have recognized a cause of action against a physician for the unauthorized disclosure of confidential medical information obtained in the context of the physician-patient relationship. "In the absence of express legislation, courts have found the basis for a right of action for wrongful disclosure in four main sources: (1) state physician licensing statutes, (2) evidentiary rules and privileged communication statutes which prohibit a physician from testifying in judicial proceedings, (3) [common-law] principles of trust, and (4) the Hippocratic Oath and principles of medical ethics which proscribe the revelation of patient confidences.... The jurisdictions that recognize the duty of confidentiality have relied on various theories for the cause of action, including invasion of privacy, breach of implied contract, medical malpractice, and breach of a fiduciary duty or a duty of confidentiality." (Citation omitted; footnote omitted.) McCormick v. England , supra, 328 S.C. at 636–37, 494 S.E.2d 431.
Other jurisdictions that have considered the issue have continued to allow state law causes of action arising from the breach of patient confidentiality by health care providers after the enactment of HIPAA. These cases rely on the premise that "such state-law claims compliment HIPAA by enhancing the penalties for its violation and thereby encouraging HIPAA compliance." R.K. v. St. Mary's Medical Center, Inc. , 229 W. Va. 712, 721, 735 S.E.2d 715 (2012), cert. denied, 569 U.S. 905, 133 S.Ct. 1738, 185 L.Ed. 2d 788 (2013).
In a case with very similar facts to the present case, the Appellate Division of the Superior Court of New Jersey allowed a plaintiff to proceed with a common-law civil action seeking to recover damages against her physician for the disclosure of certain medical records to her husband's attorney in response to a subpoena in the absence of the plaintiff's authorization or a notice to the plaintiff or her attorney. Crescenzo v. Crane , 350 N.J. Super. 531, 534–35, 796 A.2d 283 (App. Div.), cert. denied, 174 N.J. 364, 807 A.2d 196 (2002). The court rejected the doctor's claim that the subpoena itself was a determination by the court that would authorize disclosure without consent because it commanded him to produce the documents and he was subject to a contempt citation if he did not comply. Id., at 540–41, 796 A.2d 283. In reaching this conclusion, the court reasoned as follows: "That a physician may find himself in a difficult position when confronted with the imposing language of a subpoena does not warrant a resolution of the problem by simply providing the records without a release or further inquiry, especially when regulatory provisions governing a doctor's conduct recognize and are designed to preserve the confidentiality of a patient's records. We have identified practical alternatives to simply yielding the records—a release, contact with the patient or contact with the attorney—none of which impose[s] a significant or undue burden on the doctor when confidentiality is at stake. We hold that [the] plaintiff may proceed with her cause of action against the doctor." Id., at 542, 796 A.2d 283.
Although many jurisdictions had recognized an independent tort for the unauthorized disclosure of medical information to a third party prior to the enactment of HIPAA, the trend toward recognition of the cause of action and allowance of such claims has continued after its enactment in 1996. See Sorensen v. Barbuto , 143 P.3d 295, 300 (Utah App. 2006) (holding that "ex parte communication between a physician and opposing counsel constitutes a breach of the physician's fiduciary duty of confidentiality" and concluding that "the trial court erred in dismissing [the plaintiff's] claim for breach of confidentiality [and, because] we have determined that a duty exists, the trial court [also] erred in dismissing [the plaintiff's] claim for negligence"); see also, e.g., Biddle v. Warren General Hospital , 86 Ohio St.3d 395, 401, 715 N.E.2d 518 (1999) ("[w]e hold that in Ohio, an independent tort exists for the unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship").
Our research reveals four jurisdictions that have declined to recognize a cause of action for breach of the physician's duty of confidentiality. See annot., 48 A.L.R 4th, supra, § 7, pp. 691–92. ("[i]n a few jurisdictions, the courts have held that liability for a physician's unauthorized disclosure of confidential information about a patient cannot be based upon a breach of the confidential relationship of physician and patient, where the particular jurisdiction follows the common-law rule that neither patient nor physician has a privilege that a communication of one to the other not be disclosed to a third party, and has no statute providing for such a privilege"); see also Mikel v. Abrams , 541 F.Supp. 591, 599 (W.D. Mo. 1982) (refusing to follow cases from other states and declining to recognize cause of action for breach of confidential or privileged relationship because no Missouri case had recognized cause of action before), aff'd, 716 F.2d 907 (8th Cir. 1983) ; Logan v. District of Columbia , 447 F.Supp. 1328 (D.D.C. 1978) (noting that "[o]ther jurisdictions have recognized a cause of action for unauthorized disclosure of information obtained through the physician- patient relationship" but concluding that plaintiff had failed to persuade court "that such a cause of action should or would be recognized by the courts of this jurisdiction" and that plaintiff's invasion of privacy claim was "sufficient to redress any breach of the confidentiality of the physician-patient relationship"); Collins v. Howard , 156 F.Supp. 322, 324 (S.D. Ga. 1957) (The court refused to recognize a cause of action for breach of confidentiality, concluding as follows: "There is no confidential relationship between doctor and patient or hospital and patient in Georgia. The [common-law] rule is followed and no statute has been enacted creating the relationship.... In the absence of a statute providing for such privilege, none exists." [Citation omitted.] ); Quarles v. Sutherland , 215 Tenn. 651, 655–57, 389 S.W.2d 249 (1965) (declining to recognize cause of action for breach of confidentiality where state had no common-law or statutory privilege for communications between patient and physician). As this court recognized in Edelstein v. Dept. of Public Health & Addiction Services , supra, 240 Conn. at 662, 692 A.2d 803, § 52–146o"created a broad physician-patient privilege," and, therefore, the rationale of these jurisdictions that decline to recognize a common-law action for breach of the duty of confidentiality is not persuasive in Connecticut. Accordingly, we agree with the majority of jurisdictions that have considered the issue, and conclude that the nature of the physician-patient relationship warrants recognition of a common-law cause of action for breach of the duty of confidentiality in the context of that relationship.
We conclude that a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship for the purpose of treatment gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law.
In the present case, the defendant asserts that, even if this court recognizes a cause of action for breach of the duty of confidentiality in the physician-patient relationship, the defendant's motion for summary judgment in the present case should be granted because the plaintiff's medical records were disclosed in response to a subpoena and § 52–146o (b) does not require the patient's consent for such a disclosure. We disagree.
Section 52–146o (b) provides in relevant part that "[c]onsent of the patient or the patient's authorized representative shall not be required for the disclosure of such communication or information (1) pursuant to any statute or regulation of any state agency or the rules of court...." The language of § 52–146o (b) demonstrates that the disclosure must comply with statutes and regulations or the rules of court. Although we recognize, as other jurisdictions do, that the common-law duty of confidentiality is not absolute, we cannot conclude that any disclosure of medical records in response to a subpoena complies with § 52–146o (b) because a subpoena, without a court order, is not a statute, regulation of a state agency, or rule of court. See Practice Book § 7–18 ("Hospital, psychiatric and medical records shall not be filed with the clerk unless such records are submitted in a sealed envelope clearly identified with the case caption, the subject's name and the health care provider, institution or facility from which said records were issued. Such records shall be opened only pursuant to court order."); see also Practice Book § 25–55 ("A party who plans to offer a hospital record in evidence shall have the record in the clerk's office twenty-four hours prior to trial. The judge shall order that all such records be available for inspection in the clerk's office to any counsel of record under the supervision of the clerk.... Such records shall be submitted in accordance with the provisions of Section 7–18."). We also cannot conclude that the mere existence of a subpoena, regardless of the method by which a health care provider chooses to comply, precludes a common-law action for breach of confidentiality. In the present case, the defendant received a subpoena instructing the custodian of its records to appear, together with the plaintiff's medical records, at the New Haven Regional Children's Probate Court on July 8, 2005. The defendant did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff's medical file to the court around July 12, 2005. The plaintiff was later notified by Mendoza that he was able to review her medical record in the court file. See Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 437, 102 A.3d 32.
The defendant asserts that the Appellate Court's decision in Alexandru v. West Hartford Obstetrics & Gynecology, P.C. , 78 Conn. App. 521, 524–25, 827 A.2d 776, cert. denied, 266 Conn. 912, 832 A.2d 68 (2003), is applicable to the present case. We disagree. In Alexandru , the Appellate Court concluded that the defendant medical provider did not violate § 52–146o when it disclosed the plaintiff's medical records during a deposition by a physician who had been obtained as the plaintiff's medical expert. Id., at 522–25, 827 A.2d 776. In affirming the judgment of the trial court granting summary judgment to the defendant, the Appellate Court explained that "[t]he plaintiff's medical records were disclosed by her medical expert at a deposition process governed by the rules of federal procedure attended by her counsel and with no objection to either disclosure or the process." Id., at 523, 827 A.2d 776. Furthermore, the Appellate Court noted that the plaintiff had exercised a valid authorization for her medical records to be released to her attorney and that "[h]aving authorized release of that information to her attorney, she impliedly gave consent to her attorney to utilize the information on her behalf in advancing her claims in the federal action." Id., at 525, 827 A.2d 776. As we have explained previously herein, there is a genuine issue of material fact regarding whether the disclosure of the plaintiff's medical records in the present case was in compliance with applicable regulations and the rules of court. Accordingly, we find Alexandru inapplicable.
From our review of the record in the present case, it appears that the defendant did not even comply with the face of the subpoena, which required the custodian of records for the defendant to appear in person before the attorney who issued the subpoena. Instead, the defendant mailed a copy of the plaintiff's medical records directly to the court.
Furthermore, in Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , supra, 314 Conn. at 458–59, 102 A.3d 32, this court concluded "that, if Connecticut's common law recognizes claims arising from a health care provider's alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims. We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients' medical records pursuant to a subpoena." The regulations promulgated under HIPAA require specific steps prior to making any disclosure of protected health information pursuant to a subpoena. Section 164.512 (e) (1) of title 45 of the Code of Federal Regulations provides in relevant part: "A covered entity may disclose protected health information in the course of any judicial or administrative proceeding ... (ii) [i]n response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal...." The regulation, however, allows for such a disclosure only if the patient has received adequate notice of the request or a qualified protective order has been sought. See 45 C.F.R. § 164.512 (e) ; see also 45 C.F.R. § 164.512 (e) (1) (iv). The defendant's own admissions establish that it did not comply with this regulation when it responded to the subpoena in the present case.
In support of its claim, the defendant cites to Givens v. Mullikin ex rel. McElwaney , 75 S.W.3d 383, 407–408 (Tenn. 2002). In Givens , the Supreme Court of Tennessee concluded "that an implied covenant of confidentiality can arise from the original contract of treatment for payment [between a physician and a patient]." The court further concluded "it is clear that whatever the terms of this implied covenant of confidentiality may be, a physician cannot withhold such information in the face of a subpoena or other request cloaked with the authority of the court. Undoubtedly, any such contract would be contrary to public policy as expressed in the rules governing [pretrial] discovery and in the relevant medical confidentiality statutes."Id., at 408. We agree with the Supreme Court of Tennessee that a physician cannot withhold information lawfully obtained through a subpoena. The plaintiff's complaint in the present case, however, does not raise that issue. Instead, the plaintiff's complaint alleges that the defendant negligently disclosed her medical information in response to a subpoena because it failed to follow HIPAA regulations and our rules of court.
Furthermore, in Givens , the plaintiff alleged that the physician violated the duty of confidentiality by disclosing her medical information in response to a technically defective subpoena. Id., at 408. The Supreme Court of Tennessee refused to conclude that a physician is under a duty to discover technical defects in a subpoena. Id. We conclude that Givens is distinguishable from the present case because, in the present case, the plaintiff does not allege that the defendant failed to make the proper legal determination regarding the subpoena, but instead, asserts that the defendant failed to follow the procedures health care providers are obligated to follow under HIPAA. Accordingly, we find Givens inapposite.
Section 164.512 (e) of title 45 of the Code of Federal Regulations provides: "Standard: Disclosures for judicial and administrative proceedings .
"(1) Permitted disclosures . A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:
"(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
"(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
"(A) The covered entity receives satisfactory assurance, as described in paragraph (e) (1) (iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or
"(B) The covered entity receives satisfactory assurance, as described in paragraph (e) (1) (iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e) (1) (v) of this section.
"(iii) For the purposes of paragraph (e) (1) (ii) (A) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:
"(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);
"(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and
"(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:
"(1) No objections were filed; or
"(2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.
"(iv) For the purposes of paragraph (e) (1) (ii) (B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:
"(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or
"(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.
"(v) For purposes of paragraph (e) (1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e) (1) (ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:
"(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and
"(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.
"(vi) Notwithstanding paragraph (e) (1) (ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e) (1) (ii) of this section without receiving satisfactory assurance under paragraph (e) (1) (ii) (A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e) (1) (iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e) (1) (v) of this section.
"(2) Other uses and disclosures under this section . The provisions of this paragraph do not supersede other provisions of this section that otherwise permit or restrict uses or disclosures of protected health information."
We conclude that a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law. In the present case, there is a genuine issue of material fact as to whether the defendant violated the duty of confidentiality by the manner in which it disclosed the plaintiff's medical records in response to the subpoena. Accordingly, we conclude that the trial court incorrectly granted summary judgment in favor of the defendant in the present case.
The judgment is reversed and the case is remanded for further proceedings in accordance with this opinion.
In this opinion the other justices concurred.
ROBINSON, J., concurring.
I agree with the court's well-reasoned conclusion that "a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law." I write separately only to emphasize my continuing reticence to recognize new causes of action under Connecticut's common law insofar as it "is not the duty of this court to make law. That is a task properly left to the legislature. To do otherwise, even if based on sound policy and the best of intentions, would be to substitute our will for that of a body democratically elected by the citizens of this state and to overplay our proper role in the theater of [state] government." (Internal quotation marks omitted.) Campos v. Coleman , 319 Conn. 36, 64, 123 A.3d 854 (2015) (Zarella, J. , dissenting) (disagreeing with majority's decision to adopt common-law cause of action for minor child's loss of parental consortium). Our decision to recognize a new cause of action in the present case is wholly consistent with my view, eloquently stated by Justice Zarella, that, although "this court has the authority to change the common law to conform to the times ... [i]n a society of ever increasing interdependence and complexity, however, it is an authority this court should exercise only sparingly." Id., at 65, 123 A.3d 854 ; accord Sepega v. DeLaura , 326 Conn. 788, 843, 167 A.3d 916 (2017) (Robinson, J. , concurring) ("Legislative action, as in some of our sister states, would be ideal for making the appropriate findings and articulating the contours of Connecticut's firefighter's rule.... Nevertheless, until such time as our legislature can act, I would adopt a formulation of the firefighter's rule as a matter of common law that encourages citizens to seek help in emergencies, while not slamming the courthouse door to appropriate claims of our first responders." [Citation omitted.] ); Sepega v. DeLaura , supra, at 835 n.15, 167 A.3d 916 (Robinson, J. , concurring) ("the legislature is the appropriate forum for any reexamination of the legislative facts underlying our common-law decisionmaking").
In viewing our decision in the present case to be an appropriate exercise of our common-law authority to recognize new causes of action, I emphasize in particular that it complements both the limited federal administrative remedies provided by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq., as well as our state legislature's recognition of the importance of confidentiality in a physician-patient relationship through the 1990 adoption of General Statutes § 52–146o, subsection (a) of which furnishes an evidentiary physician-patient privilege in civil, administrative, legislative, and probate proceedings, with limited exceptions provided by subsection (b) of the statute. See Byrne v. Avery Center for Obstetrics & Gynecology, P.C. , 314 Conn. 433, 458–59, 102 A.3d 32 (2014). Moreover, although this case presents a legal issue of first impression, providing a common-law remedy for the breach of the physician's duty of confidentiality does not disturb the settled expectations of physicians or patients given the long-standing ethical and legal bases for that duty. Cf. Campos v. Coleman , supra, 319 Conn. at 76–77, 123 A.3d 854 (Zarella, J. , dissenting) (stating that majority's decision to overrule Mendillo v. Board of Education , 246 Conn. 456, 717 A.2d 1177 [1998], which had declined to recognize derivative cause of action for loss of parental consortium by minor children, raised numerous policy and political questions "that [turn] on a number of socioeconomic factors, and it should therefore be left to the legislature"). Put differently, I believe that the expectations of our citizens would be more unsettled had we, in essence, declared the doors of our courthouses closed to patients whose health care providers improperly breached their confidences. Accordingly, I conclude that we properly exercise our common-law authority to recognize a cause of action in the present case, and I agree with the majority's determination that a genuine issue of material fact exists, requiring that we remand the case to the trial court for further proceedings on this point.
As the majority aptly points out, and in contrast to the divided case law that confronted us in Campos v. Coleman , supra, 319 Conn. at 73–76, 123 A.3d 854 (Zarella, J. , dissenting), I also emphasize the extremely broad support for recognition of a cause of action in the case law of our sister states. See, e.g., Horne v. Patton , 291 Ala. 701, 708–709, 287 So.2d 824 (1973) ; Alberts v. Devine , 395 Mass. 59, 69, 479 N.E.2d 113, cert. denied sub nom. Carroll v. Alberts , 474 U.S. 1013, 106 S.Ct. 546, 88 L.Ed. 2d 475 (1985) ; McCormick v. England , 328 S.C. 627, 644, 494 S.E.2d 431 (App. 1997) ; Fairfax Hospital v. Curtis , 254 Va. 437, 442, 492 S.E.2d 642 (1997) ; but see Quarles v. Sutherland , 215 Tenn. 651, 657, 389 S.W.2d 249 (1965).
Accordingly, I concur in the judgment of the court.