Ann W. Latner, JD writes:
This month we revisit a very important privacy case which held that a violation of medical privacy under HIPAA could lead to tort liability under state law. The case lingered in the courts for a total of almost 12 years, reaching the state supreme court twice, and set new precedent recognizing a cause of action for patients who have been harmed by the unauthorized disclosure of private medical information.
The plaintiff in the case, Ms. B, was a patient of a physician who was part of an obstetrics and gynecology practice. When Ms. B discovered she was pregnant, she sought care from the practice, but asked them not to reveal any medical records to her former boyfriend, Mr. M. Sometime after the baby was born, Ms. B moved away and stopped using the practice. However, her former boyfriend, Mr. M, filed a paternity action and subpoenaed the practice, instructing the “custodian of its records” to appear before the issuing attorney in court and to produce “all medical records” pertaining to Ms. B.
Rather than notify Ms. B, consult its attorney, or send an employee to court, the practice simply put all of Ms. B’s medical records in an envelope and mailed them to court, where Mr. M was able to access the information. According to Ms. B, her former boyfriend used the information to harass and extort her, and that embarrassing information had been provided by the practice that had nothing to do with the paternity issue. Ms. B instituted a lawsuit against the Ob/Gyn practice.
Read more about the case on MPR.