There have been a variety of recent developments in the area of HIPAA violations.


On January 16, 2108, the Connecticut Supreme Court issued its opinion in Byrne v. Avery Center for Obstetrics and Gynecology, (Conn. Sup. Ct., Case No. 19873, Jan 16, 2018) regarding a private right of action. This Court’s opinion is about the clearest statement in the country about the application of state negligence law to medical privacy violations, using HIPAA regulations as the industry standard of care. The Connecticut Supreme Court found that a duty of condentiality arises from the physician-patient relationship and that unauthorized disclosure of condential information obtained for the purpose of treatment gives rise to a cause of action against the health care provider, unless the disclosure is otherwise allowed by law. The Court allowed the case to go to the jury to determine whether the Avery Center violated that duty of condentiality when it disclosed Byrne’s medical records in response to a subpoena and found that the mere existence of a subpoena does not preclude recovery for breach of condentiality. The Avery Center had apparently complied neither with the face of the subpoena nor with the federal HIPAA regulation governing responses to such subpoenas.

In May 2017 St. Luke’s-Roosevelt Hospital Center Inc. paid the U.S. Department of Health and Human Services (HHS) $387,200 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a comprehensive corrective action plan. St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. In September 2014, the HHS Oce for Civil Rights (OCR) received a complaint alleging that a sta member from the Spencer Cox Center impermissibly disclosed the complainant’s protected health information to the complainant’s employer. This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse. OCR’s subsequent investigation revealed that sta at the Spencer Cox Center impermissibly faxed the patient’s records to his employer rather than sending it to the requested personal post oce box. Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.

Also in May 2017, Memorial Hermann Health System (MHHS) agreed to pay $2.4 million to the U.S. Department of Health and Human Services (HHS) and adopt a comprehensive corrective action plan to settle potential violations of the HIPAA Privacy Rule. MHHS is a not- for-prot health system located in Southeast Texas, comprised of 16 hospitals and specialty services in the Greater Houston area.

The HHS Oce for Civil Rights (OCR) initiated a compliance review of MHHS based on multiple media reports suggesting that MHHS disclosed a patient’s protected health information (PHI) without an authorization. In September 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent identication card to oce sta. The sta immediately alerted appropriate authorities of the incident, and the patient was arrested. This disclosure of PHI to law enforcement was permitted under the HIPAA Rules. However, MHHS subsequently published a press release concerning the incident in which MHHS senior management approved the impermissible disclosure of the patient’s PHI by adding the patient’s name in the title of the press release. In addition, MHHS failed to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information

Each of these cases make clear that the penalties associated with repeated violations of HIPAA can be incredibly expensive.