This article explores the relationship between the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the Missouri common law action for breach of patient confidentiality.
In 1993, the Missouri Supreme Court recognized that a patient could bring a damage action against a physician who breaches his or her fiduciary duty to protect patient confidentiality. Brandt v. Medical Defense Associates, 856 S.W.2d 667, 670-71 (Mo. banc 1993). Brandt involved ex parte discussions between lawyers and treating physicians in a medical malpractice action. The Court held that the physicians in that case did not conspire to breach any fiduciary duty because the plaintiff waived his right of confidentiality by filing his lawsuit.
The Missouri Court of Appeals for the Eastern District later held that a plaintiff stated a proper cause of action for damages under Brandt. See, Fierstein v. DePaul Health Center, 949 S.W.2d 90, 92 (Mo. App. E.D. 1997) (Fierstein I). The hospital in Fierstein wrongfully disclosed the plaintiff’s confidential medical records to the opposing counsel in a custody dispute. The hospital mailed records described in a subpoena to the opposing counsel before a scheduled deposition. This action effectively deprived the plaintiff of her right to object to the disclosure of the records under court rules. Unlike in Brandt, the plaintiff in Fierstein never waived her right of confidentially in the custody litigation. The Court of Appeals ultimately affirmed a judgment in favor of the plaintiff in Fierstein v. DePaul Health Center, 24 S.W.3d 220 (Mo.App. E.D. 2000) (Fierstein II).
In 1996, Congress enacted HIPAA. HIPAA compels healthcare providers covered by the law to provide safeguards for protecting the confidentiality of patient information. The regulatory framework for the law is known as the HIPAA Privacy Rule.
HIPAA creates no private right of action. Instead, a patient aggrieved by an alleged violation of HIPAA may file an administrative complaint with the Secretary of Health and Human Services. 45 CFR §160.306(a). The Office of Civil Rights investigates the complaint on behalf of the Secretary. 45 CFR §160.306(c). If the Secretary is unable to reach an informal resolution of the complaint, she may impose a civil monetary penalty if she determines that the covered entity violated HIPAA. 45 CFR §160.402. Upon receiving notice of the proposed penalty, the covered entity then has a right to an administrative hearing. 45 CFR §160.420.
Although the regulatory structure of HIPAA is comprehensive, Missouri healthcare providers cannot rely on HIPAA preemption to avoid a state law claim for breach of patient confidentiality. The Missouri Supreme Court has noted that the HIPAA preemption clause does not apply when, among other things, the state law is more stringent than HIPAA. State ex rel. Proctor v. Messina, 320 S.W.3d 145, 149 (Mo. banc 2010); see also, 42 U.S.C. Section 1320d-7. Logically, the HIPAA preemption clause should have no effect on Missouri’s common law damage remedy. Missouri has the flexibility under HIPAA to provide a more stringent approach to the protection of patient confidentiality.
HIPAA should not preempt Missouri’s independent state law claim for breach of patient confidentiality. In practice, courts suggest that the validity of a state law claim depends on whether the particular state recognized the existence of a common law claim prior to or independent from the adoption of HIPAA. See, e.g., Herman v. Kratche, 2006 Ohio App. LEXIS 5895 (Ohio Ct. App. Nov. 9, 2006) (recognizing independent tort in Ohio). Because Missouri recognized the tort for breach of patient confidentiality in Brandt - prior to and independent from HIPAA - HIPAA should not preempt the Missouri common law claim. And it is instructive that federal preemption was not even raised as a possible defense in either Fierstein I or Fierstein II.
Missouri appellate courts have not yet confronted the question of what evidentiary effect HIPAA and its regulations may have on a common law claim. Even though HIPAA creates no private right of action, HIPAA arguably helps to define the standard of care in common law actions. A North Carolina court took this view in Acosta v. Byrum, 638 S.E.2d 246, 253 (N.C.Ct.App. 2006). In today’s regulatory environment, healthcare providers must develop policies to ensure compliance with HIPAA. So, the HIPAA Privacy Rule arguably provides evidence of how the provider is expected to protect its confidential patient information. Yet this remains an open question under Missouri law.
In conclusion, a Missouri patient victimized by the wrongful disclosure of confidential patient information may pursue remedies under federal or state law, or both. The aggrieved person may file a federal complaint with the Secretary of Health and Human Services. Or the person may bring an independent action for damages under the Missouri common law.
DISCLAIMERS: This article contains general information for discussion purposes only. The author is not rendering legal advice, and this article does not create an attorney-client relationship. Each case is different and must be judged on its own merits. Missouri rules generally prohibit lawyers from advertising that they specialize in particular areas of the law. This article should not be construed to suggest such specialization. The choice of a lawyer is an important decision and should not be based solely upon advertisements.
©Daniel R. Schramm, L.L.C. (2013)
 Proctor addressed the question of whether HIPAA preempts Missouri law on ex parte communications between the defendant’s lawyer and a plaintiff’s treating physician in a medical malpractice case. The Court concluded that HIPAA does not preempt Missouri law on that particular issue. State ex rel. Proctor v. Messina, 320 S.W.3dat 157. The Court nonetheless held that the trial judge was prohibited from giving an advisory opinion to non-party medical providers that they were permitted to engage in ex parte communications with the defendant’s lawyer. Id. at 158. Proctor does not bar a common law damage action against a physician for breach of patient confidentiality.