******************************************************
The ‘‘officially released’’ date that appears near the
beginning of each opinion is the date the opinion will
be published in the Connecticut Law Journal or the
date it was released as a slip opinion. The operative
date for the beginning of all time periods for filing
postopinion motions and petitions for certification is
the ‘‘officially released’’ date appearing in the opinion.
In no event will any such motions be accepted before
the ‘‘officially released’’ date.
All opinions are subject to modification and technical
correction prior to official publication in the Connecti-
cut Reports and Connecticut Appellate Reports. In the
event of discrepancies between the electronic version
of an opinion and the print version appearing in the
Connecticut Law Journal and subsequently in the Con-
necticut Reports or Connecticut Appellate Reports, the
latest print version is to be considered authoritative.
The syllabus and procedural history accompanying
the opinion as it appears on the Commission on Official
Legal Publications Electronic Bulletin Board Service
and in the Connecticut Law Journal and bound volumes
of official reports are copyrighted by the Secretary of
the State, State of Connecticut, and may not be repro-
duced and distributed without the express written per-
mission of the Commission on Official Legal
Publications, Judicial Branch, State of Connecticut.
******************************************************
EMILY BYRNE v. AVERY CENTER
FOR OBSTETRICS AND
GYNECOLOGY, P.C.
(SC 18904)
Rogers, C. J., and Norcott, Palmer, Zarella, Eveleigh, McDonald and
Vertefeuille, Js.*
Argued March 12, 2013—officially released November 11, 2014
Bruce L. Elstein, with whom, on the brief, was Henry
Elstein, for the appellant (plaintiff).
James F. Biondo, with whom, on the brief, was
Audrey D. Medd, for the appellee (defendant).
Opinion
NORCOTT, J. Congress enacted the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), 42
U.S.C. § 1320d et seq., as a comprehensive legislative
and regulatory scheme to, inter alia, protect the privacy
of patients’ health information given emerging advances
in information technology. In this appeal, we determine
whether HIPAA, which lacks a private right of action
and preempts ‘‘contrary’’ state laws; 42 U.S.C. § 1320d-
7 (2006);1 preempts state law claims for negligence and
negligent infliction of emotional distress against a
health care provider who is alleged to have improperly
breached the confidentiality of a patient’s medical
records in the course of complying with a subpoena.
The plaintiff, Emily Byrne,2 appeals from the judgment
of the trial court dismissing counts two and four of the
operative amended complaint (complaint) filed against
the defendant, the Avery Center for Obstetrics and
Gynecology, P.C.3 On appeal, the plaintiff contends that
the trial court improperly concluded that her state law
claims for negligence and negligent infliction of emo-
tional distress were preempted by HIPAA. We conclude
that, to the extent that Connecticut’s common law pro-
vides a remedy for a health care provider’s breach of
its duty of confidentiality in the course of complying
with a subpoena, HIPAA does not preempt the plaintiff’s
state common-law causes of action for negligence or
negligent infliction of emotional distress against the
health care providers in this case and, further, that
regulations of the Department of Health and Human
Services (department) implementing HIPAA may
inform the applicable standard of care in certain circum-
stances. Accordingly, we reverse the judgment of the
trial court.
The trial court’s memorandum of decision sets forth
the following undisputed facts and procedural history.
‘‘Before July 12, 2005, the defendant provided the plain-
tiff [with] gynecological and obstetrical care and treat-
ment. The defendant provided its patients, including
the plaintiff, with notice of its privacy policy regarding
protected health information and agreed, based on this
policy and on law, that it would not disclose the plain-
tiff’s health information without her authorization.
‘‘In May, 2004, the plaintiff began a personal relation-
ship with Andro Mendoza, which lasted until Septem-
ber, 2004.4 . . . In October, 2004, she instructed the
defendant not to release her medical records to Men-
doza. In March, 2005, she moved from Connecticut to
Vermont where she presently lives. On May 31, 2005,
Mendoza filed paternity actions against the plaintiff in
Connecticut and Vermont. Thereafter, the defendant
was served with a subpoena requesting its presence
together with the plaintiff’s medical records at the New
Haven Regional Children’s [Probate Court] on July 12,
2005. The defendant did not alert the plaintiff of the
subpoena, file a motion to quash it or appear in court.
Rather, the defendant mailed a copy of the plaintiff’s
medical file to the court around July 12, 2005. In Septem-
ber, 2005, ‘[Mendoza] informed [the] plaintiff by tele-
phone that he reviewed [the] plaintiff’s medical file in
the court file.’ On September 15, 2005, the plaintiff filed
a motion to seal her medical file, which was granted.
The plaintiff alleges that she suffered harassment and
extortion threats from Mendoza since he viewed her
medical records.’’5 (Footnotes altered.)
The plaintiff subsequently brought this action against
the defendant. Specifically, the operative complaint in
the present case alleges that the defendant: (1)
breached its contract with her when it violated its pri-
vacy policy by disclosing her protected health informa-
tion without authorization; (2) acted negligently by
failing to use proper and reasonable care in protecting
her medical file, including disclosing it without authori-
zation in violation of General Statutes § 52-146o6 and
the department’s regulations implementing HIPAA;7 (3)
made a negligent misrepresentation, upon which the
plaintiff relied to her detriment, that her ‘‘medical file
and the privacy of her health information would be
protected in accordance with the law’’; and (4) engaged
in conduct constituting negligent infliction of emotional
distress. After discovery, the parties filed cross motions
for summary judgment.
With respect to the plaintiff’s negligence based claims
in counts two and four of the complaint, the trial court
agreed with the defendant’s contention that ‘‘HIPAA
preempts ‘any action dealing with confidentiality/pri-
vacy of medical information,’ ’’ which prompted the
court to treat the summary judgment motion as one
seeking dismissal for lack of subject matter jurisdiction.
In its memorandum of decision, the trial court first
considered the plaintiff’s negligence claims founded on
the violations of the regulations implementing HIPAA.
The court first observed the ‘‘well settled’’ proposition
that HIPAA does not create a private right of action,
requiring claims of violations instead to be raised
through the department’s administrative channels. The
trial court then relied on Fisher v. Yale University,
Superior Court, judicial district of New Haven, Complex
Litigation Docket, Docket No. X10-CV-04-4003207-S
(April 3, 2006), and Meade v. Orthopedic Associates of
Windham County, Superior Court, judicial district of
Windham, Docket No. CV-06-4005043-S (December 27,
2007),8 and rejected the plaintiff’s claim that she had
not utilized HIPAA as the basis of her cause of action,
but rather, relied on it as ‘‘ ‘evidence of the appropriate
standard of care’ for claims brought under state law,
namely, negligence.’’9 Emphasizing that the courts can-
not supply a private right of action that the legislature
intentionally had omitted, the trial court noted that the
‘‘plaintiff has labeled her claims as negligence claims,
but this does not change their essential nature. They
are HIPAA claims.’’ The trial court further determined
that the plaintiff’s statutory negligence claims founded
on a violation of § 52-146o were similarly preempted
because the state statute had been superseded by
HIPAA, and thus the plaintiff’s state statutory claim
‘‘amount[ed] to a claim for a HIPAA violation, a claim
for which there is no private right of action.’’10
The trial court concluded similarly with respect to
the plaintiff’s common-law negligence claims, observ-
ing that, under the regulatory definitions implementing
HIPAA’s preemption provision; see 42 U.S.C. § 1320d-
7 (a); 45 C.F.R. § 160.202 (2004);11 to ‘‘the extent that
common-law negligence permits a private right of
action for claims that amount to HIPAA violations, it
is a contrary provision of law and subject to HIPAA’s
preemption rule. Because it is not more stringent,
according to the definition of 45 C.F.R. § 160.202, the
preemption exception does not apply.’’ For the same
reasons, the trial court dismissed count four of the
complaint, claiming negligent infliction of emotional
distress.
With respect to the remainder of the pending motions,
the trial court first denied, on the basis of its previous
preemption determinations, the plaintiff’s motion for
summary judgment, which had claimed that the defen-
dant’s conduct in responding to the subpoena violated
the HIPAA regulations, specifically 45 C.F.R. § 164.512
(e),12 as a matter of law. The trial court denied, however,
the defendant’s motion for summary judgment with
respect to the remaining counts of the complaint,
namely, count one alleging breach of contract and count
three alleging negligent misrepresentation, determining
that genuine issues of material fact existed with respect
to contract formation through the defendant’s privacy
policy, and whether the plaintiff had received and relied
upon that policy. Thus, the trial court denied the defen-
dant’s motion for summary judgment as to counts one
and three of the complaint, and dismissed counts two
and four of the complaint for lack of subject matter
jurisdiction. This appeal followed. See footnote 3 of
this opinion.
On appeal, the plaintiff claims that the trial court
improperly determined that HIPAA preempted her neg-
ligence based state law claims. Conceding that there is
no private right of action under HIPAA, the plaintiff
asserts that she is not asserting a claim for relief prem-
ised solely on a violation of HIPAA, but rather, relies
heavily on Merrell Dow Pharmaceuticals, Inc. v.
Thompson, 478 U.S. 804, 106 S. Ct. 3229, 92 L. Ed. 2d
650 (1986), Acosta v. Byrum, 180 N.C. App. 562, 638
S.E.2d 246 (2006), and R.K. v. St. Mary’s Medical Cen-
ter, Inc., 229 W. Va. 712, 735 S.E.2d 715 (2012), cert.
denied, U.S. , 133 S. Ct. 1738, 185 L. Ed. 2d 788
(2013), in support of the proposition that common-law
negligence actions, with HIPAA informing the standard
of care, may complement rather than ‘‘obstruct’’ HIPAA
for preemption purposes. Citing, inter alia, Mead v.
Burns, 199 Conn. 651, 662–63, 509 A.2d 11 (1986), and
Wendland v. Ridgefield Construction Services, Inc.,
184 Conn. 173, 181, 439 A.2d 954 (1981), the plaintiff
emphasizes that the use of other state law causes of
action to enforce statutes otherwise lacking private
rights of action has been upheld by this court in the
analogous contexts of the Connecticut Unfair Insurance
Practices Act, General Statutes § 38a-815 et seq., and
the federal Occupational Safety and Health Act (OSHA),
29 U.S.C. § 651 et seq., and its state counterpart, General
Statutes § 31-367 et seq. The plaintiff further argues
that, under HIPAA and its implementing regulation; see
42 U.S.C. § 1320d-7 (a) (1); 45 C.F.R. § 160.202; her state
law claims for relief are not preempted because it is
not ‘‘contrary to’’ HIPAA to provide for damages under
state common-law claims for privacy breaches.
In response, the defendant relies on the long line of
federal and state cases establishing that there is no
private right of action, express or implied, under HIPAA.
See, e.g., O’Donnell v. Blue Cross Blue Shield of Wyo-
ming, 173 F. Supp. 2d 1176 (D. Wyo. 2001); Fisher v.
Yale University, supra, Superior Court, Docket No. X10-
CV-04-4003207-S. Observing that ‘‘playing word games
does not change the underlying theory of liability,’’ the
defendant relies on Young v. Carran, 289 S.W.3d 586
(Ky. App. 2008), review denied, 2009 Ky. LEXIS 592 (Ky.
August 19, 2009), and Bonney v. Stephens Memorial
Hospital, 17 A.3d 123 (Me. 2011), and contends that,
because there is no private right of action under HIPAA,
‘‘a plaintiff cannot use a violation of HIPAA as the stan-
dard of care for underlying claims, such as negligence.’’
The defendant further emphasizes that the plaintiff’s
negligence claim relying on § 52-146o is preempted
because HIPAA is more stringent than the state statute.
Finally, the defendant also argues briefly, in what
appears to be either alternative grounds for affirming
the judgment of the trial court or matters likely to arise
on remand, that: (1) there is no private right of action
under § 52-146o; and (2) it was not obligated, as a matter
of law, to inform the plaintiff that it had complied with
a subpoena, and its compliance with the subpoena did
not violate her privacy rights.13
We note at the outset that whether Connecticut’s
common law provides a remedy for a health care provid-
er’s breach of its duty of confidentiality, including in
the context of responding to a subpoena, is not an
issue presented in this appeal. Thus, assuming, without
deciding, that Connecticut’s common law recognizes
a negligence cause of action arising from health care
providers’ breaches of patient privacy in the context of
complying with subpoenas,14 we agree with the plaintiff
and conclude that such an action is not preempted by
HIPAA and, further, that the HIPAA regulations may
well inform the applicable standard of care in certain
circumstances.
I
PREEMPTION CLAIMS
The defendant’s claim that HIPAA preemption shifts
the exclusive venue for the resolution of all disputes
relating to that statute from the state court to the federal
administrative forum implicates our subject matter
jurisdiction. See, e.g., Stokes v. Norwich Taxi, LLC, 289
Conn. 465, 488 and n.18, 958 A.2d 1195 (2008). As the
trial court properly noted, the defendant’s summary
judgment essentially was a ‘‘motion to dismiss [that]
. . . properly attacks the jurisdiction of the court,
essentially asserting that the plaintiff cannot as a matter
of law and fact state a cause of action that should be
heard by the court. . . . A motion to dismiss tests, inter
alia, whether, on the face of the record, the court is
without jurisdiction. . . . [O]ur review of the court’s
ultimate legal conclusion and resulting [determination]
of the motion to dismiss will be de novo. . . . In under-
taking this review, we are mindful of the well estab-
lished notion that, in determining whether a court has
subject matter jurisdiction, every presumption favoring
jurisdiction should be indulged.’’ (Citation omitted;
internal quotation marks omitted.) Conboy v. State, 292
Conn. 642, 650, 974 A.2d 669 (2009); see also Practice
Book § 10-31 (a) (1).
Whether state causes of action are preempted by
federal statutes and regulations is a question of law
over which our review is plenary. See, e.g., Hackett v.
J.L.G. Properties, LLC, 285 Conn. 498, 502–503, 940
A.2d 769 (2008). Thus, we note that ‘‘the ways in which
federal law may [preempt] state law are well established
and in the first instance turn on congressional intent.
. . . Congress’ intent to supplant state authority in a
particular field may be express[ed] in the terms of the
statute.’’ (Internal quotation marks omitted.) Id., 503;
see also id., 504 (‘‘The question of preemption is one
of federal law, arising under the supremacy clause of the
United States constitution. . . . Determining whether
Congress has exercised its power to preempt state law
is a question of legislative intent.’’ [Internal quotation
marks omitted.]).
Turning to the HIPAA provisions at issue in this
appeal, we note by way of background that, ‘‘[r]ecogniz-
ing the importance of protecting the privacy of health
information in the midst of the rapid evolution of health
information systems, Congress passed HIPAA in August
1996. HIPAA’s Administrative Simplification provisions,
[§§] 261 through 264 of [Public Law 104-191], were
designed to improve the efficiency and effectiveness of
the health care system by facilitating the exchange of
information with respect to financial and administrative
transactions carried out by health plans, health care
clearinghouses, and health care providers who transmit
information in connection with such transactions. . . .
‘‘Within the Administrative Simplification section,
Congress included another provision—[§] 264—outlin-
ing a two-step process to address the need to afford
certain protections to the privacy of health information
maintained under HIPAA. First, [§] 264 (a) directed
[the department] to submit to Congress within twelve
months of HIPAA’s enactment ‘detailed recommenda-
tions on standards with respect to the privacy of individ-
ually identifiable health information.’ . . . Second, if
Congress did not enact further legislation pursuant to
these recommendations within thirty-six months of the
enactment of HIPAA, [the department] was to promul-
gate final regulations containing such standards.’’ (Cita-
tions omitted; footnote omitted.) South Carolina
Medical Assn. v. Thompson, 327 F.3d 346, 348 (4th Cir.),
cert. denied, 540 U.S. 981, 124 S. Ct. 464, 157 L. Ed. 2d
371 (2003). Because Congress ultimately failed to pass
any additional legislation, the department’s final regula-
tions implementing HIPAA, known collectively as the
‘‘Privacy Rule,’’ were ‘‘promulgated in February 2001,’’
with compliance phased in over the next few years.15
Id., 349.
With respect to the preemptive effect of HIPAA, 42
U.S.C. § 1320d-7 (a) (i) provides that: ‘‘Except as pro-
vided in paragraph (2), a provision or requirement under
this part, or a standard or implementation specification
adopted or established under sections 1320d-1 through
1320d-3 of this title, shall supersede any contrary provi-
sion of State law, including a provision of State law
that requires medical or health plan records (including
billing information) to be maintained or transmitted in
written rather than electronic form.’’ (Emphasis added.)
See footnote 1 of this opinion for the complete text
of 42 U.S.C. § 1320d-7. The department’s regulations,
namely, 45 C.F.R. § 160.202 (2004) and 45 C.F.R.
§ 160.203, provide additional explication of HIPAA’s
preemptive effect. Specifically, 45 C.F.R. § 160.203 pro-
vides as a ‘‘general rule’’ that a ‘‘standard, requirement,
or implementation specification adopted under this sub-
chapter that is contrary to a provision of State law
preempts the provision of State law.’’ (Emphasis
added.) A state law is ‘‘contrary’’ to HIPAA if ‘‘(1) A
covered entity would find it impossible to comply with
both the [s]tate and [f]ederal requirements; or (2) [t]he
provision of [s]tate law stands as an obstacle to the
accomplishment and execution of the full purposes and
objectives of part C of title XI of [HIPPA], [§] 264 of
[Public Law] 104-191, as applicable.’’ (Emphasis added.)
45 C.F.R. § 160.202 (2004). The regulations define a
‘‘[s]tate law’’ as ‘‘a constitution, statute, regulation, rule,
common law, or other [s]tate action having the force
and effect of law.’’ (Emphasis added.) 45 C.F.R.
§ 160.202 (2004).
As relevant to this appeal, state laws exempted from
preemption include those that ‘‘[relate] to the privacy of
individually identifiable health information16 and [are]
more stringent than a standard, requirement, or imple-
mentation specification adopted under subpart E of part
164 of this subchapter.’’17 (Emphasis added; footnote
added.) 45 C.F.R. § 160.203 (b). A state law is ‘‘[m]ore
stringent’’ ‘‘in the context of a comparison of a provision
of [s]tate law and a standard, requirement, or implemen-
tation specification adopted under subpart E of part
164 of this subchapter, [if it] meets one or more of the
following criteria:
***
‘‘(4) With respect to the form, substance, or the need
for express legal permission from an individual, who
is the subject of the individually identifiable health
information, for use or disclosure of individually identi-
fiable health information, provides requirements that
narrow the scope or duration, increase the privacy pro-
tections afforded (such as by expanding the criteria
for), or reduce the coercive effect of the circumstances
surrounding the express legal permission, as applica-
ble. . . .
‘‘(6) With respect to any other matter, provides
greater privacy protection for the individual who is the
subject of the individually identifiable health informa-
tion.’’ 45 C.F.R. § 160.202 (2004); see also footnote 11
of this opinion.
This statutory and regulatory background brings us
to the question in the present appeal, namely, whether
HIPAA preempts a state law claim sounding in negli-
gence arising from a health care provider’s alleged
breach of physician-patient confidentiality in the course
of complying with a subpoena. It is by now well settled
that the ‘‘statutory structure of HIPAA . . . precludes
implication of a private right of action. [Section]
1320d–6 [of title 42 of the United States Code]18
expressly provides a method for enforcing its prohibi-
tion upon use or disclosure of individual’s health infor-
mation—the punitive imposition of fines and
imprisonment for violations.’’ (Footnote added.) Uni-
versity of Colorado Hospital Authority v. Denver Pub-
lishing Co., 340 F. Supp. 2d 1142, 1145 (D. Colo. 2004);
see also, e.g., 42 U.S.C. § 1320d-5 (providing for adminis-
trative enforcement by department and state attorneys
general); Dodd v. Jones, 623 F.3d 563, 569 (8th Cir.
2010); Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006);
Rzayeva v. United States, 492 F. Supp. 2d 60, 83 (D.
Conn. 2007); O’Donnell v. Blue Cross Blue Shield of
Wyoming, supra, 173 F. Supp. 2d 1180–81.
Nevertheless, it is similarly well established that,
‘‘[o]rdinarily, state causes of action are not [preempted]
solely because they impose liability over and above that
authorized by federal law.’’ (Internal quotation marks
omitted.) English v. General Electric Co., 496 U.S. 72,
89, 110 S. Ct. 2270, 110 L. Ed. 2d 65 (1990); see also
id., 87–90 (state tort claim for intentional infliction of
emotional distress arising from termination of whis-
tleblower not preempted by federal legislation intended
to occupy field of nuclear safety, even with statutes’
provision of administrative remedy for whistleblower
violations). As a corollary, ‘‘a complaint alleging a viola-
tion of a federal statute as an element of a state cause
of action, when Congress has determined that there
should be no private, federal cause of action for the
violation, does not state a claim ‘arising under the [c]on-
stitution, laws, or treaties of the United States’ ’’ for
purposes of federal question jurisdiction under 28
U.S.C. § 1331. Merrell Dow Pharmaceuticals, Inc. v.
Thompson, supra, 478 U.S. 817; see also Grable & Sons
Metal Products, Inc. v. Darue Engineering & Mfg., 545
U.S. 308, 319, 125 S. Ct. 2363, 162 L. Ed. 2d 257 (2005)
(‘‘[a] general rule of exercising federal jurisdiction over
state claims resting on federal mislabeling and other
statutory violations would thus have heralded a poten-
tially enormous shift of traditionally state cases into
federal courts’’).
Consistent with these principles, the regulatory his-
tory of the HIPAA demonstrates that neither HIPAA nor
its implementing regulations were intended to preempt
tort actions under state law arising out of the unautho-
rized release of a plaintiff’s medical records. As the
plaintiff aptly notes, one commenter during the rulem-
aking process had ‘‘raised the issue of whether a private
right of action is a greater penalty, since the proposed
federal rule has no comparable remedy.’’19 Standards
for Privacy of Individually Identifiable Health Informa-
tion, 65 Fed. Reg. 82,462, 82,582 (December 28, 2000).
In its administrative commentary to the final rule as
promulgated in the Federal Register, the department
responded to this question by stating, inter alia, that
‘‘the fact that a state law allows an individual to file [a
civil action] to protect privacy does not conflict with
the HIPAA penalty provisions,’’ namely, fines and
imprisonment. (Emphasis added.) Id. This agency com-
mentary on final rules in the Federal Register is signifi-
cant evidence of regulatory intent. See, e.g., Exelon
Generation Co., LLC v. Local 15, International Broth-
erhood of Electrical Workers, AFL-CIO, 676 F.3d 566,
573–75 (7th Cir. 2012); Southeast Alaska Conservation
Council v. United States Army Corps of Engineers, 486
F.3d 638, 648 (9th Cir. 2007), rev’d on other grounds
sub nom. Coeur Alaska, Inc. v. Southeast Alaska Con-
servation Council, 557 U.S. 261, 129 S. Ct. 2458, 174
L. Ed. 2d 193 (2009). Indeed, ‘‘[w]here an agency has
authoritatively interpreted its own rule, courts generally
defer to that reading unless it is plainly erroneous or
inconsistent with the regulation.’’ (Internal quotation
marks omitted.) Exelon Generation Co., LLC v. Local
15, International Brotherhood of Electrical Workers,
AFL-CIO, supra, 570.
Consistent with this regulatory history, the parties’
briefs and our independent research disclose a number
of cases from the federal and sister state courts holding
that HIPAA, and particularly its implementation
through the Privacy Rule regulations, does not preempt
causes of action, when they exist as a matter of state
common or statutory law, arising from health care pro-
viders’ breaches of patient confidentiality in a variety
of contexts; indeed, several have determined that
HIPAA may inform the relevant standard of care in such
actions.20 See I.S. v. Washington University, United
States District Court, Docket No. 4:11CV235SNLJ (E.D.
Mo. June 14, 2011) (The court rejected the defendant’s
argument that the ‘‘negligence per se’’ count of the
plaintiff’s complaint, premised on HIPAA violations, ‘‘in
reality is a claim for violation of HIPAA, which is imper-
missible under federal law,’’ but remanding claim to
state court because it ‘‘does not raise any compelling
federal interest nor is a substantial federal question
presented. Although HIPAA is clearly implicated in the
claim for negligence per se, said claim fall[s] within
that broad class of state law claims based on federal
regulations in the state court . . . .’’ [Internal quotation
marks omitted.]); Harmon v. Maury County, United
States District Court, Docket No. 1:05CV0026 (M.D.
Tenn. August 31, 2005) (concluding that plaintiffs’ negli-
gence per se claims founded on violation of HIPAA
privacy regulation were not preempted because
‘‘HIPAA’s provisions do not completely preempt state
law and expressly preserve state laws that are not incon-
sistent with its terms’’ and ‘‘there is no private remedy
under federal law and the critical interest is the privacy
interests of the [p]laintiffs’’); Fanean v. Rite Aid Corp.
of Delaware, Inc., 984 A.2d 812, 823 (Del. Super. 2009)
(concluding that claim of negligence per se could not
be premised on HIPAA violation, but following Toll
Bros., Inc. v. Considine, 706 A.2d 493 [Del. 1998], hold-
ing ‘‘that a common law negligence claim can be predi-
cated upon OSHA requirements,’’ in concluding that
common-law negligence claim could utilize HIPAA as
‘‘guidepost for determining the standard of care’’);
Young v. Carran, supra, 289 S.W.3d 588–89 (rejecting
plaintiff’s attempt to use HIPAA as foundation for dam-
ages claim under state ‘‘negligence per se’’ statute, but
observing that state case law permits use of federal
statutes otherwise to inform standard of care in com-
mon-law negligence action); Bonney v. Stephens Memo-
rial Hospital, supra, 17 A.3d 128 (‘‘[a]lthough . . .
HIPAA standards, like state laws and professional codes
of conduct, may be admissible to establish the standard
of care associated with a state tort claim, [HIPAA] itself
does not authorize a private action’’); Yath v. Fairview
Clinics, N.P., 767 N.W.2d 34, 49–50 (Minn. App. 2009)
(concluding that state statutory cause of action for
improper disclosure of medical records was not pre-
empted by HIPAA because ‘‘[a]lthough the penalties
under the two laws differ, compliance with [the Minne-
sota statute] does not exclude compliance with HIPAA,’’
and ‘‘[r]ather than creating an ‘obstacle’ to HIPAA, [the
Minnesota statute] supports at least one of HIPAA’s
goals by establishing another disincentive to wrongfully
disclose a patient’s health care record’’); Acosta v.
Byrum, supra, 180 N.C. App. 571–73 (The court con-
cluded that the trial court improperly dismissed the
negligent infliction of emotional distress case because
the allegation that, when the psychiatrist ‘‘provided his
medical access code . . . [he] violated the rules and
regulations established by HIPAA . . . does not state
a cause of action under HIPAA. Rather, [the] plaintiff
cites to HIPAA as evidence of the appropriate standard
of care, a necessary element of negligence.’’); Sorensen
v. Barbuto, 143 P.3d 295, 299 n.2 (Utah App. 2006) (The
court noted that, in concluding that the trial court
improperly dismissed the plaintiff’s claim for breach of
professional duties, that the defendant physician ‘‘con-
tends that [the plaintiff] is not entitled to a private right
of action for breach of professional standards,’’ but that
the plaintiff ‘‘does not contend in his brief, however,
that a private right of action exists. Rather, [the plaintiff]
asserts that the professional standards contribute to the
proper standard of care, citing [HIPAA], the American
Medical Association’s Principles of Medical Ethics, and
the Hippocratic Oath.’’); R.K. v. St. Mary’s Medical Cen-
ter, Inc., supra, 229 W. Va. 719–21 (concluding that
state law claims for, inter alia, negligence, outrageous
conduct, and invasion of privacy arising from defendant
hospital staff’s disclosure of plaintiff’s psychiatric treat-
ment records to his wife’s divorce attorney, were not
preempted by HIPAA and that goals of common-law
remedies and HIPAA ‘‘are similar’’ in that ‘‘both protect
the privacy of an individual’s health care information’’);
but cf. Espinoza v. Gold Cross Services, Inc., 234 P.3d
156, 158–59 (Utah App. 2010) (contrasting similar
actions brought under California’s unfair competition
statute and declining to consider HIPAA copy fee sched-
ules in concluding that plaintiff’s common-law unjust
enrichment claim arising from defendant’s allegedly
excessive copying fees failed because ‘‘[w]e have no
basis in state or federal law to enforce federal regula-
tions promulgated under HIPAA, either directly or as
a component of a state cause of action’’).21
On the basis of the foregoing authorities, we conclude
that, if Connecticut’s common law recognizes claims
arising from a health care provider’s alleged breach of
its duty of confidentiality in the course of complying
with a subpoena, HIPAA and its implementing regula-
tions do not preempt such claims. We further conclude
that, to the extent it has become the common practice
for Connecticut health care providers to follow the pro-
cedures required under HIPAA in rendering services to
their patients, HIPAA and its implementing regulations
may be utilized to inform the standard of care applicable
to such claims arising from allegations of negligence
in the disclosure of patients’ medical records pursuant
to a subpoena.22 The availability of such private rights
of action in state courts, to the extent that they exist
as a matter of state law, do not preclude, conflict with,
or complicate health care providers’ compliance with
HIPAA. On the contrary, negligence claims in state
courts support ‘‘at least one of HIPAA’s goals by estab-
lishing another disincentive to wrongfully disclose a
patient’s health care record.’’ Yath v. Fairview Clinics,
N.P., supra, 767 N.W.2d 50. Accordingly, we conclude
that the trial court improperly dismissed counts two
and four of the plaintiff’s complaint, sounding in negli-
gence and negligent infliction of emotional distress.
II
OTHER CLAIMS
Beyond the preemption issue, the parties raise two
other matters that require attention because they may
provide us with an opportunity to address issues that
are likely to arise on remand or potentially provide an
alternative basis for affirming the judgment of the trial
court, at least in part. See, e.g., Total Recycling Services
of Connecticut, Inc. v. Connecticut Oil Recycling Ser-
vices, LLC, 308 Conn. 312, 325, 63 A.3d 896 (2013).
Specifically, we address: (1) the parties’ request that
we determine whether the defendant was negligent as
a matter of law by not informing the plaintiff of the
subpoena and by mailing the plaintiff’s medical records
into court; and (2) the defendant’s argument that it is
entitled to summary judgment on the plaintiff’s state
statutory claims because § 52-146o does not provide a
private right of action.
A
We first note that the plaintiff asks us, as a matter
of judicial economy in the event of a remand, to deter-
mine, as a matter of law, whether the defendant’s act
of mailing the medical records into court in response
to the subpoena complied with General Statutes § 52-
143 and the federal regulatory provisions under HIPAA,
namely, 45 C.F.R. § 164.512 (e) (1) (ii) and (iii), with
respect to notifying the plaintiff or seeking a qualified
protective order. See footnote 12 of this opinion. In
response, the defendant, relying on the deposition testi-
mony of its HIPAA consultant, contends that its act of
mailing the records to the Probate Court complied with
Connecticut and federal law, as its staff complied with
the directions of the attorney who had issued the sub-
poena and its privacy policy had unequivocally
informed the plaintiff that it would use or disclose
health information in response to a subpoena without
patient authorization or the opportunity to object. The
defendant posits that the true responsibility for the
breach of the plaintiff’s privacy lies with the members
of the Probate Court staff who did not seal the records
upon receipt pending a court order making them avail-
able to counsel.
Given the apparently undeveloped factual record at
this point, and the fact that the plaintiff’s breach of
contract and negligent misrepresentation claims remain
pending, requiring further proceedings before the trial
court; see footnote 3 of this opinion; we decline to
address this claim further, other than to note that state
court pretrial practices must be HIPAA compliant; see,
e.g., Law v. Zuckerman, 307 F. Supp. 2d 705, 710–11
(D. Md. 2004); Arons v. Jutkowitz, 9 N.Y.3d 393, 415,
880 N.E.2d 831, 850 N.Y.S.2d 345 (2007); a requirement
that extends to responses to subpoenas. See State v.
La Cava, Superior Court, judicial district of Danbury,
Docket No. CR-06-0128258-S (May 17, 2007) (43 Conn.
L. Rptr. 417, 418) (The trial court granted the hospital’s
motion to quash the subpoena of the hospital records
requested pursuant to General Statutes § 4-104 because
‘‘delivery of the hospital record to the clerk of court
authorized by § 4-104 constitutes a transfer of protected
health information to an outside entity. Yet, under 45
C.F.R. § 164.512 [e] [1] [ii], a hospital cannot transfer
protected health information to an outside entity with-
out receiving the satisfactory assurances set forth in
45 C.F.R. § 164.512 [e] [1] [ii] [A] or [B], or complying
with the requirements of 45 C.F.R. § 164.512 [e] [1] [vi].
Hence, a covered entity would find it impossible to
comply with § 4-104 without violating 45 C.F.R.
§ 164.512 [e].’’).
B
We next turn to the defendant’s argument, founded
on the Superior Court’s decision in Meade v. Orthopedic
Associates of Windham County, supra, Superior Court,
Docket No. CV-06-4005043-S, that it is entitled to sum-
mary judgment on the plaintiff’s state law statutory
claims under § 52-146o because that statute does not
provide a private right of action. The plaintiff does not
contend otherwise in her reply brief. Indeed, her argu-
ments on other points therein suggest that her claims
in this case are limited to violations of the state common
law. We decline to reach the defendant’s statutory argu-
ment because we do not read the plaintiff’s complaint
as asserting a statutory right of action under § 52-146o.
Accordingly, we take no position on whether § 52-146o
provides a statutory right of action.
‘‘The interpretation of pleadings is always a question
of law for the court . . . . Our review of the trial
court’s interpretation of the pleadings therefore is ple-
nary. . . . Furthermore, we long have eschewed the
notion that pleadings should be read in a hypertechnical
manner. Rather, [t]he modern trend, which is followed
in Connecticut, is to construe pleadings broadly and
realistically, rather than narrowly and technically. . . .
[T]he complaint must be read in its entirety in such a
way as to give effect to the pleading with reference to
the general theory upon which it proceeded, and do
substantial justice between the parties. . . . Our read-
ing of pleadings in a manner that advances substantial
justice means that a pleading must be construed reason-
ably, to contain all that it fairly means, but carries with
it the related proposition that it must not be contorted
in such a way so as to strain the bounds of rational
comprehension. . . . Although essential allegations
may not be supplied by conjecture or remote implica-
tion . . . the complaint must be read in its entirety in
such a way as to give effect to the pleading with refer-
ence to the general theory upon which it proceeded,
and do substantial justice between the parties. . . . As
long as the pleadings provide sufficient notice of the
facts claimed and the issues to be tried and do not
surprise or prejudice the opposing party, we will not
conclude that the complaint is insufficient to allow
recovery.’’ (Citations omitted; internal quotation marks
omitted.) Grenier v. Commissioner of Transportation,
306 Conn. 523, 536–37, 51 A.3d 367 (2012).
The operative complaint asserts four counts, each
captioned with a common-law cause of action, namely,
(1) breach of contract, (2) negligence, (3) negligent
misrepresentation, and (4) negligent infliction of emo-
tional distress. The alleged violation of § 52-146o is men-
tioned once as a specification of negligence in count
two, negligence, which is incorporated by reference
into count four, stating that ‘‘the defendant was negli-
gent and [careless] in one or more of the following ways
. . . . It disclosed the medical file, without authority,
in violation of . . . § 52-146o.’’ In context, with all of
the captioned causes of action arising from the common
law, we read this single mention of § 52-146o as provid-
ing one of several bases for establishing the standard
of care applicable to the plaintiff’s common-law negli-
gence claims and not as asserting an independent cause
of action. See footnote 22 of this opinion and accompa-
nying text. Thus, we conclude that the plaintiff’s com-
plaint does not plead a statutory cause of action arising
under § 52-146o, and decline to decide whether that
statute provides such a private right of action.
The judgment is reversed and the case is remanded to
the trial court for further proceedings according to law.
In this opinion PALMER, EVELEIGH, McDONALD
and VERTEFEUILLE, Js., concurred.
* The listing of justices reflects their seniority status on this court as of
the date of oral argument.
This case was originally scheduled to be argued before a panel of this court
consisting of Chief Justice Rogers and Justices Norcott, Palmer, Zarella,
Eveleigh, McDonald and Vertefeuille. Although Justice Palmer was not pre-
sent when the case was argued before the court, he read the record and
briefs and listened to a recording of oral argument prior to participating in
this decision.
1
Title 42 of the United States Code, § 1320d-7 (a), provides in relevant
part: ‘‘(1) . . . Except as provided in paragraph (2), a provision or require-
ment under this part, or a standard or implementation specification adopted
or established under sections 1320d-1 through 1320d-3 of this title, shall
supersede any contrary provision of State law, including a provision of
State law that requires medical or health plan records (including billing
information) to be maintained or transmitted in written rather than elec-
tronic form.
‘‘(2) Exceptions
‘‘A provision or requirement under this part, or a standard or implementa-
tion specification adopted or established under sections 1320d-1 through
1320d-3 of this title, shall not supersede a contrary provision of State law,
if the provision of State law—
‘‘(A) is a provision the Secretary determines—
‘‘(i) is necessary—
‘‘(I) to prevent fraud and abuse;
‘‘(II) to ensure appropriate State regulation of insurance and health plans;
‘‘(III) for State reporting on health care delivery or costs; or
‘‘(IV) for other purposes; or
‘‘(ii) addresses controlled substances; or
‘‘(B) subject to section 264 (c) (2) of the Health Insurance Portability and
Accountability Act of 1996, relates to the privacy of individually identifiable
health information. . . .’’
2
We note that the trial court subsequently granted the plaintiff’s motion
to add Douglas Wolinsky, the bankruptcy trustee appointed by the United
States Bankruptcy Court for the District of Vermont, as a party plaintiff.
See General Statutes § 52-108; Practice Book § 9-18. For the sake of conve-
nience, all references to the plaintiff in this opinion are to Byrne.
3
Ordinarily, the trial court’s dismissal of counts two and four of the
operative complaint would not constitute an appealable final judgment. See
Kelly v. New Haven, 275 Conn. 580, 594, 881 A.2d 978 (2005). We note,
however, that the plaintiff obtained permission to file the present appeal
with the Appellate Court pursuant to Practice Book § 61-4. This appeal was
subsequently transferred to this court pursuant to General Statutes § 51-
199 (c) and Practice Book § 65-1.
We also note that the defendant filed a cross appeal to the Appellate
Court from the trial court’s denial of its motion for summary judgment with
respect to counts one and three of the complaint. After a hearing, the
Appellate Court dismissed the defendant’s cross appeal for lack of a final
judgment, noting that the defendant had not obtained permission pursuant
to Practice Book § 61-4 to appeal from that aspect of the trial court’s decision.
4
We note that the operative complaint in the present case alleges that
the plaintiff discovered she was pregnant around the same time she termi-
nated her relationship with Mendoza.
5
We also note that, according to the operative complaint, Mendoza has
utilized the information contained within these records to file numerous
civil actions, including paternity and visitation actions, against the plaintiff,
her attorney, her father and her father’s employer, and to threaten her with
criminal charges.
6
General Statutes § 52-146o provides: ‘‘(a) Except as provided in sections
52-146c to 52-146j, inclusive, and subsection (b) of this section, in any civil
action or any proceeding preliminary thereto or in any probate, legislative
or administrative proceeding, a physician or surgeon, as defined in subsec-
tion (b) of section 20-7b, shall not disclose (1) any communication made
to him by, or any information obtained by him from, a patient or the conserva-
tor or guardian of a patient with respect to any actual or supposed physical
or mental disease or disorder, or (2) any information obtained by personal
examination of a patient, unless the patient or his authorized representative
explicitly consents to such disclosure.
‘‘(b) Consent of the patient or his authorized representative shall not be
required for the disclosure of such communication or information (1) pursu-
ant to any statute or regulation of any state agency or the rules of court,
(2) by a physician, surgeon or other licensed health care provider against
whom a claim has been made, or there is a reasonable belief will be made,
in such action or proceeding, to his attorney or professional liability insurer
or such insurer’s agent for use in the defense of such action or proceeding,
(3) to the Commissioner of Public Health for records of a patient of a
physician, surgeon or health care provider in connection with an investiga-
tion of a complaint, if such records are related to the complaint, or (4) if
child abuse, abuse of an elderly individual, abuse of an individual who is
physically disabled or incompetent or abuse of an individual with intellectual
disability is known or in good faith suspected.’’
We note that the legislature made certain technical changes to § 52-146o
subsequent to the events underlying the present appeal. See Public Acts
2011, No. 11-129, § 20. For purposes of convenience and clarity, however,
all references to § 52-146o within this opinion are to the current revision
of the statute.
7
Specifically, the plaintiff alleged, in paragraphs 25 (f), (g), (h), (i) and
(j) of the complaint, violations of the following regulations of the department:
(1) 45 C.F.R. § 164.512 (e) (1) (ii) by ‘‘failing to seek itself or obtain ‘satisfac-
tory assurances’ from the person seeking the information in that the person
seeking the information failed to provide to the defendant proof that reason-
able efforts were made to either . . . [e]nsure that the plaintiff was provided
sufficient notice of the request, or . . . [s]eek a qualified protective order’’;
(2) 45 C.F.R. § 164.512 (e) (1) (iii) ‘‘in failing to determine that the plaintiff
had not received satisfactory notice of the request for her records from the
face of the subpoena’’; (3) 45 C.F.R. §§ 164.508 (b) (2) and 164.508c (1)-(3)
‘‘in that the subpoena was not a valid authorization to produce the records’’;
(4) 45 C.F.R. § 164.522 ‘‘in failing to follow the plaintiff’s request for additional
privacy protection of her protected health information from production to
the party requesting it’’; and (5) 45 C.F.R. § 164.502 ‘‘in failing to determine
and produce only the minimum necessary data requested.’’
8
In Fisher, a judge of the Superior Court concluded that HIPAA’s omission
of a private right of action preempts, under 42 U.S.C. § 1320d-7 (a) (2) (B),
state law causes of action arising from health care providers’ breaches of
patient privacy. Specifically, the court concluded that a plaintiff’s claim,
which was brought under the Connecticut Unfair Trade Practices Act
(CUTPA), General Statutes § 42-110a et seq., challenging a hospital’s ‘‘fail[-
ure] to comply with HIPAA’s privacy requirements’’ was preempted because
‘‘[i]f Congress had intended to allow for a private action as part of this
program, it could have included it in the legislation or authorized the Secre-
tary [of the department] to provide for the same by rulemaking,’’ and ‘‘[t]here-
fore, to the extent CUTPA permits a private right of action for a HIPAA
violation, CUTPA constitutes a ‘contrary’ provision of state law and falls
within the ambit of the HIPAA general preemption rule.’’ Fisher v. Yale
University, supra, Superior Court, Docket No. X10-CV-04-4003207-S. In so
concluding, the court rejected the plaintiff’s argument that, ‘‘since a violation
of HIPAA is a violation of a clearly delineated public policy, it is actionable
under CUTPA, and that the ability of a plaintiff to bring the action will result
in greater privacy protection to her as a subject of individually identifiable
health information.’’ Id.; see also Salatto v. Hospital of Saint Raphael,
Superior Court, judicial district of New Haven, Docket No. CV-09-5032170-
S (October 6, 2010) (The trial court granted a motion for summary judgment
as to the plaintiff’s ‘‘negligence per se claims [that] assert that the defendant
violated his right to confidentiality, pursuant to HIPAA. It is well settled
that HIPAA does not create a private right of action.’’); Meade v. Orthopedic
Associates of Windham County, supra, Superior Court, Docket No. CV-06-
4005043-S (‘‘[t]his court concurs with the reasoning in Fisher and, therefore,
finds that the plaintiff’s CUTPA claim is preempted by HIPAA and does not
provide a private right of action’’).
9
The trial court further disagreed with the plaintiff’s argument analogizing
HIPAA to the federal Occupational Safety and Health Act, 29 U.S.C. §651
et seq., whose regulations ‘‘may be used as evidence of the standard of care
in a negligence action against an employer’’; Wagner v. Clark Equipment
Co., 243 Conn. 168, 188, 700 A.2d 38 (1997); observing that ‘‘[n]o such history
exists for HIPAA regulations.’’
10
Specifically, the trial court noted the ‘‘stark difference’’ between § 52-
146o and the more comprehensive safeguards for the disclosure of medical
records in administrative and judicial proceedings set forth by 45 C.F.R.
§ 164.512 (e); see footnote 12 of this opinion; and observed that, ‘‘[t]o the
extent that § 52-146o permits disclosure of protected medical records pursu-
ant to a subpoena without the safeguards required by HIPAA, it is both
contrary to and less stringent than HIPAA and therefore superseded by
HIPAA.’’
11
Title 45 of the Code of Federal Regulations (2004), § 160.202, implements
42 U.S.C. § 1320d-7, and provides: ‘‘For purposes of this subpart, the follow-
ing terms have the following meanings:
‘‘Contrary, when used to compare a provision of [s]tate law to a standard,
requirement, or implementation specification adopted under this subchap-
ter, means:
‘‘(1) A covered entity would find it impossible to comply with both the
[s]tate and [f]ederal requirements; or
‘‘(2) The provision of [s]tate law stands as an obstacle to the accomplish-
ment and execution of the full purposes and objectives of part C of title XI
of the Act, section 264 of [Public Law] 104–191, as applicable.
‘‘More stringent means, in the context of a comparison of a provision of
[s]tate law and a standard, requirement, or implementation specification
adopted under subpart E of part 164 of this subchapter, a [s]tate law that
meets one or more of the following criteria:
‘‘(1) With respect to a use or disclosure, the law prohibits or restricts a
use or disclosure in circumstances under which such use or disclosure
otherwise would be permitted under this subchapter, except if the disclo-
sure is:
‘‘(i) Required by the Secretary in connection with determining whether
a covered entity is in compliance with this subchapter; or
‘‘(ii) To the individual who is the subject of the individually identifiable
health information.
‘‘(2) With respect to the rights of an individual, who is the subject of the
individually identifiable health information, regarding access to or amend-
ment of individually identifiable health information, permits greater rights
of access or amendment, as applicable.
‘‘(3) With respect to information to be provided to an individual who is
the subject of the individually identifiable health information about a use, a
disclosure, rights, and remedies, provides the greater amount of information.
‘‘(4) With respect to the form, substance, or the need for express legal
permission from an individual, who is the subject of the individually identifi-
able health information, for use or disclosure of individually identifiable
health information, provides requirements that narrow the scope or duration,
increase the privacy protections afforded (such as by expanding the criteria
for), or reduce the coercive effect of the circumstances surrounding the
express legal permission, as applicable.
‘‘(5) With respect to recordkeeping or requirements relating to accounting
of disclosures, provides for the retention or reporting of more detailed
information or for a longer duration.
‘‘(6) With respect to any other matter, provides greater privacy protection
for the individual who is the subject of the individually identifiable health
information.
‘‘Relates to the privacy of individually identifiable health information
means, with respect to a [s]tate law, that the [s]tate law has the specific
purpose of protecting the privacy of health information or affects the privacy
of health information in a direct, clear, and substantial way.
‘‘State law means a constitution, statute, regulation, rule, common law,
or other [s]tate action having the force and effect of law.’’ (Emphasis in
original.)
12
Title 45 of the Code of Federal Regulations, § 164.512, provides in rele-
vant part: ‘‘A covered entity may use or disclose protected health information
without the written authorization of the individual, as described in § 164.508,
or the opportunity for the individual to agree or object as described in
§ 164.510, in the situations covered by this section, subject to the applicable
requirements of this section. When the covered entity is required by this
section to inform the individual of, or when the individual may agree to, a
use or disclosure permitted by this section, the covered entity’s information
and the individual’s agreement may be given orally.
‘‘(a) Standard: Uses and disclosures required by law. (1) A covered entity
may use or disclose protected health information to the extent that such
use or disclosure is required by law and the use or disclosure complies with
and is limited to the relevant requirements of such law.
‘‘(2) A covered entity must meet the requirements described in paragraph
(c), (e), or (f) of this section for uses or disclosures required by law.
***
‘‘(e) Standard: Disclosures for judicial and administrative proceed-
ings.—(1) Permitted disclosures. A covered entity may disclose protected
health information in the course of any judicial or administrative proceeding:
‘‘(i) In response to an order of a court or administrative tribunal, provided
that the covered entity discloses only the protected health information
expressly authorized by such order; or
‘‘(ii) In response to a subpoena, discovery request, or other lawful process,
that is not accompanied by an order of a court or administrative tribunal, if:
‘‘(A) The covered entity receives satisfactory assurance, as described in
paragraph (e) (1) (iii) of this section, from the party seeking the information
that reasonable efforts have been made by such party to ensure that the
individual who is the subject of the protected health information that has
been requested has been given notice of the request; or
‘‘(B) The covered entity receives satisfactory assurance, as described in
paragraph (e) (1) (iv) of this section, from the party seeking the information
that reasonable efforts have been made by such party to secure a qualified
protective order that meets the requirements of paragraph (e) (1) (v) of
this section.
‘‘(iii) For the purposes of paragraph (e) (1) (ii) (A) of this section, a covered
entity receives satisfactory assurances from a party seeking protected health
information if the covered entity receives from such party a written state-
ment and accompanying documentation demonstrating that:
‘‘(A) The party requesting such information has made a good faith attempt
to provide written notice to the individual (or, if the individual’s location
is unknown, to mail a notice to the individual’s last known address);
‘‘(B) The notice included sufficient information about the litigation or
proceeding in which the protected health information is requested to permit
the individual to raise an objection to the court or administrative tribunal; and
‘‘(C) The time for the individual to raise objections to the court or adminis-
trative tribunal has elapsed, and:
‘‘(1) No objections were filed; or
‘‘(2) All objections filed by the individual have been resolved by the court
or the administrative tribunal and the disclosures being sought are consistent
with such resolution.
‘‘(iv) For the purposes of paragraph (e) (1) (ii) (B) of this section, a covered
entity receives satisfactory assurances from a party seeking protected health
information, if the covered entity receives from such party a written state-
ment and accompanying documentation demonstrating that:
‘‘(A) The parties to the dispute giving rise to the request for information
have agreed to a qualified protective order and have presented it to the
court or administrative tribunal with jurisdiction over the dispute; or
‘‘(B) The party seeking the protected health information has requested a
qualified protective order from such court or administrative tribunal.
‘‘(v) For purposes of paragraph (e) (1) of this section, a qualified protective
order means, with respect to protected health information requested under
paragraph (e) (1) (ii) of this section, an order of a court or of an administra-
tive tribunal or a stipulation by the parties to the litigation or administrative
proceeding that:
‘‘(A) Prohibits the parties from using or disclosing the protected health
information for any purpose other than the litigation or proceeding for which
such information was requested; and
‘‘(B) Requires the return to the covered entity or destruction of the pro-
tected health information (including all copies made) at the end of the
litigation or proceeding.
‘‘(vi) Notwithstanding paragraph (e) (1) (ii) of this section, a covered entity
may disclose protected health information in response to lawful process
described in paragraph (e) (1) (ii) of this section without receiving satisfac-
tory assurance under paragraph (e) (1) (ii) (A) or (B) of this section, if the
covered entity makes reasonable efforts to provide notice to the individual
sufficient to meet the requirements of paragraph (e) (1) (iii) of this section
or to seek a qualified protective order sufficient to meet the requirements
of paragraph (e) (1) (iv) of this section.
‘‘(2) Other uses and disclosures under this section. The provisions of
this paragraph do not supersede other provisions of this section that other-
wise permit or restrict uses or disclosures of protected health information.
. . .’’ (Emphasis in original.)
13
Similarly, the plaintiff also asks us, as a matter of judicial economy in
the event of a remand, to determine, as a matter of law, whether the defen-
dant’s act of mailing the medical records into court in response to the
subpoena complied with General Statutes § 52-143 and the federal regulatory
provisions under HIPAA, namely, 45 C.F.R. § 164.512 (e) (1) (ii) and (iii),
with respect to notifying the plaintiff or seeking a qualified protective order.
See footnote 12 of this opinion. We address this claim in part II A of this
opinion.
14
For additional background discussion of health care providers’ common-
law duty to protect patient confidences, and the related cause of action,
compare, for example, Biddle v. Warren General Hospital, 86 Ohio St. 3d
395, 715 N.E.2d 518 (1999), with Quarles v. Sutherland, 215 Tenn. 651, 389
S.W.2d 249 (1965).
15
‘‘The Privacy Rule forbids an organization subject to its requirements (a
‘covered entity’) from using or disclosing an individual’s health information
(‘protected health information’) except as mandated or permitted by its
provisions . . . . ‘Covered entities’ generally include health plans, health
care clearinghouses and health care providers such as physicians, hospitals
and HMOs . . . . ‘Protected health information’ encompasses any individu-
ally identifiable health information held or transmitted by a covered entity
in any form or medium, whether electronic, paper or oral . . . .’’ (Citations
omitted.) Arons v. Jutkowitz, 9 N.Y.3d 393, 412–13, 880 N.E.2d 831, 850
N.Y.S.2d 345 (2007); id. (discussing, inter alia, 45 C.F.R. §§ 164.502 [a] [1],
164.512 [e]).
In the litigation context specifically, as reflected in 45 C.F.R. § 164.512
(e) (1) (i) and (ii), the ‘‘Privacy Rule also permits covered entities to use
or disclose protected health information without authorization pursuant to a
court or administrative order so long as only the protected health information
covered by the order is disclosed . . . or in response to a subpoena, discov-
ery request or other lawful process if the entity has received satisfactory
assurances that the party seeking the disclosure has made reasonable efforts
to ensure that the individual has been given notice of the request, or has
made reasonable efforts to secure a qualified protective order from a court
or administrative tribunal . . . .’’ (Citations omitted.) Id., 414; see footnote
12 of this opinion for the text of 45 C.F.R. § 164.512 (e).
16
See footnote 11 of this opinion.
17
Also exempted from preemption are: (1) provisions of state law
approved by the secretary of the department subject to certain conditions;
see 45 C.F.R. § 160.203 (a); (2) a ‘‘provision of [s]tate law, including [s]tate
procedures established under such law, as applicable, [which] provides for
the reporting of disease or injury, child abuse, birth, or death, or for the
conduct of public health surveillance, investigation, or intervention’’; 45
C.F.R. § 160.203 (c); and (3) a ‘‘provision of [s]tate law [that] requires a
health plan to report, or to provide access to, information for the purpose
of management audits, financial audits, program monitoring and evaluation,
or the licensure or certification of facilities or individuals.’’ 45 C.F.R.
§ 160.203 (d).
18
Title 42 of the United States Code, § 1320d-6 provides: ‘‘(a) Offense
‘‘A person who knowingly and in violation of this part—
‘‘(1) uses or causes to be used a unique health identifier;
‘‘(2) obtains individually identifiable health information relating to an
individual; or
‘‘(3) discloses individually identifiable health information to another
person,
‘‘shall be punished as provided in subsection (b) of this section. For
purposes of the previous sentence, a person (including an employee or other
individual) shall be considered to have obtained or disclosed individually
identifiable health information in violation of this part if the information is
maintained by a covered entity (as defined in the HIPAA privacy regulation
described in section 1320d-9 (b) (3) of this title) and the individual obtained
or disclosed such information without authorization.
‘‘(b) Penalties
‘‘A person described in subsection (a) of this section shall—
‘‘(1) be fined not more than $50,000, imprisoned not more than [one] year,
or both;
‘‘(2) if the offense is committed under false pretenses, be fined not more
than $100,000, imprisoned not more than [five] years, or both; and
‘‘(3) if the offense is committed with intent to sell, transfer, or use individu-
ally identifiable health information for commercial advantage, personal gain,
or malicious harm, be fined not more than $250,000, imprisoned not more
than [ten] years, or both.’’
19
This question had been raised in connection with proposed language
for 45 C.F.R. § 160.202 that would have specifically defined the application
of the phrase ‘‘more stringent’’ in a variety of contexts, including stating
that ‘‘more stringent’’ means, ‘‘[w]ith respect to penalties, provides greater
penalties.’’ (Emphasis added.) Standards for Privacy of Individually Identifi-
able Health Information, 64 Fed. Reg. 59,918, 60,051 (November 3, 1999);
see also id., p. 59,997 (explaining department’s initial decision to provide
specific definitions). In the commentary to the final rule, the department
stated that it had ‘‘reconsidered the proposed ‘penalty’ provision of the
proposed definition of ‘more stringent’ and have eliminated it. The HIPAA
statute provides for only two types of penalties: fines and imprisonment.
Both types of penalties could be imposed in addition to the same type of
penalty imposed by a state law, and should not interfere with the imposition
of other types of penalties that may be available under state law. Thus, we
think it is unlikely that there would be a conflict between state and federal
law in this respect, so that the proposed criterion is unnecessary and confus-
ing.’’ Standards for Privacy of Individually Identifiable Health Information,
65 Fed. Reg. 82,462, 82,582 (December 28, 2000).
20
We also note the body of case law establishing that, in the absence of
a private right of action under HIPAA, the federal courts lack jurisdiction
to remove actions containing a state law claim relying on HIPAA to support
the standard of care. This body of case law indicates HIPAA’s failure to
preempt state law causes of action by implication. See Hearn v. Reynolds,
876 F. Supp. 2d 798, 799–800 (S.D. Miss. 2012) (remanding removed case
to state court because, although complaint stated that ‘‘publications
amounted to HIPAA violations,’’ ‘‘HIPAA creates no private right of action’’
and complaint indicated that plaintiff ‘‘is concerned primarily with an intent
to injure his standing in the community rather than a disclosure of his
medical history’’); Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d
718, 721 (E.D. Pa. 2011) (remanding removed case to state court although
HIPAA ‘‘is implicated because the federal statute requires [d]efendants to
‘reasonably safeguard protected health information,’ such as the information
on the misplaced USB drive, ‘from any intentional or unintentional use or
disclosure’ . . . this is a fairly straightforward state-law tort case’’ with
claims of negligence, negligence per se and violations of Pennsylvania’s
unfair trade practices statute); K.V. v. Women’s Healthcare Network, LLC,
United States District Court, Docket No. 07-0228-CV-W-DW (W.D. Mo. June
6, 2007) (The court remanded the removed case, claiming negligence and
negligence per se arising from HIPAA violations, to the state court because
‘‘the parties concede that various courts around the country have determined
that there is no express or implied private cause of action under HIPAA.
Additionally, the state law claim raised in [c]ount [9] does not raise a substan-
tial federal question of great federal interest. The privacy standards imposed
by HIPAA are not uniquely federal and do not raise any issue of great federal
interest.’’); Harmon v. Maury County, United States District Court, Docket
No. 1:05CV0026 (M.D. Tenn. August 31, 2005) (The court remanded the
removed case to the state court because, although the plaintiffs’ negligence
per se claims cited HIPAA privacy regulation, ‘‘Congress did not provide an
exclusive federal remedy under HIPAA and HIPAA does not completely
preempt state law. There is no compelling federal interest nor is a substantial
federal question presented. [The] [p]laintiffs’ claims fall within that broad
class of state law claims based on federal regulations in the state court, as
described in [Grable & Sons Metal Products, Inc. v. Darue Engineering &
Mfg., supra, 545 U.S. 308].’’).
21
We find misplaced the defendant’s reliance on the Kentucky decision
in Young v. Carran, supra, 289 S.W.3d 586, and the Maine decision in Bonney
v. Stephens Memorial Hospital, supra, 17 A.3d 123. The court in Young held
only that HIPAA does not provide a private right of action—a proposition
not challenged by the plaintiff in this appeal—and that the HIPAA regulations
could not be used to support a negligence per se claim because of a Kentucky
statute that previously had been interpreted by the state’s Supreme Court
to limit negligence per se claims to violations only of Kentucky state statutes.
See Young v. Carran, supra, 588–89, citing T & M Jewelry, Inc. v. Hicks
ex rel. Hicks, 189 S.W.3d 526, 530 (Ky. 2006). Indeed, the Kentucky court
indicated that a properly pleaded claim of negligence, rather than negligence
per se, could be founded on federal regulatory violations, noting that, in
T & M Jewelry, Inc., the Kentucky Supreme Court had ‘‘used provisions of
the federal Gun Control Act of 1968 to define a duty of care for purposes
of a common law negligence action—not a . . . negligence per se claim.’’
Young v. Carran, supra, 589.
Bonney similarly held only that HIPAA did not afford the plaintiffs therein
a private right of action, and specifically noted that ‘‘HIPAA standards, like
state laws and professional codes of conduct, may be admissible to establish
the standard of care associated with a state tort claim,’’ which is precisely
what the plaintiff in this appeal seeks to do. Bonney v. Stephens Memorial
Hospital, supra, 17 A.3d 127–28.
Finally, we disagree with the defendant’s attempt to diminish the Utah
Court of Appeals decision in Sorensen v. Barbuto, supra, 143 P.3d 299 n.2,
which had rejected the claim that the plaintiff was ‘‘not entitled to a private
right of action for breach of professional standards,’’ which included ‘‘HIPAA,
the American Medical Association’s Principles of Medical Ethics, and the
Hippocratic Oath.’’ The Utah court emphasized that the plaintiff therein did
not contend that those provisions afforded him a private right of action,
but ‘‘[r]ather . . . that the professional standards contribute to the proper
standard of care . . . .’’ Id. Plainly implicit in this conclusion is that it is
proper in Utah to utilize HIPAA as evidence of the standard of care in
negligence actions.
22
Although it is not entirely clear from her brief, the record, or the allega-
tions in the operative complaint whether the plaintiff seeks to use the HIPAA
regulations simply as evidence of the standard of care, or as a basis for
negligence per se, this lack of clarity does not affect our preemption analysis.
We note, however, that whether the particular HIPAA regulations at issue
are suitable for use as a legislatively imposed standard of care for purposes
of establishing negligence per se is a potentially complex question of law
that has not been adequately briefed by the parties herein, and therefore,
is one that we need not decide in this appeal. See, e.g., Gore v. People’s
Savings Bank, 235 Conn. 360, 380, 665 A.2d 1341 (1995) (‘‘[i]n deciding
whether the legislature intended to provide for such statutory liability, we
look to the language of the statute and to the legislative history and purposes
underlying the provision’s enactment’’).