Emily BYRNE v. AVERY CENTER FOR OBSTETRICS AND GYNECOLOGY, P.C.
Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq., as a comprehensive legislative and regulatory scheme to, inter alia, protect the privacy of patients' health information given emerging advances in information technology. In this appeal, we determine whether HIPAA, which lacks a private right of action and preempts “contrary” state laws; 42 U.S.C. § 1320d7 (2006);1 preempts state law claims for negligence and negligent infliction of emotional distress against a health care provider who is alleged to have improperly breached the confidentiality of a patient's medical records in the course of complying with a subpoena. The plaintiff, Emily Byrne,2 appeals from the judgment of the trial court dismissing counts two and four of the operative amended complaint (complaint) filed against the defendant, the Avery Center for Obstetrics and Gynecology, P.C.3 On appeal, the plaintiff contends that the trial court improperly concluded that her state law claims for negligence and negligent infliction of emotional distress were preempted by HIPAA. We conclude that, to the extent that Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA does not preempt the plaintiff's state common-law causes of action for negligence or negligent infliction of emotional distress against the health care providers in this case and, further, that regulations of the Department of Health and Human Services (department) implementing HIPAA may inform the applicable standard of care in certain circumstances. Accordingly, we reverse the judgment of the trial court.
“In May, 2004, the plaintiff began a personal relationship with Andro Mendoza, which lasted until September, 2004.4 ․ In October, 2004, she instructed the defendant not to release her medical records to Mendoza. In March, 2005, she moved from Connecticut to Vermont where she presently lives. On May 31, 2005, Mendoza filed paternity actions against the plaintiff in Connecticut and Vermont. Thereafter, the defendant was served with a subpoena requesting its presence together with the plaintiff's medical records at the New Haven Regional Children's [Probate Court] on July 12, 2005. The defendant did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff's medical file to the court around July 12, 2005. In September, 2005, ‘[Mendoza] informed [the] plaintiff by telephone that he reviewed [the] plaintiff's medical file in the court file.’ On September 15, 2005, the plaintiff filed a motion to seal her medical file, which was granted. The plaintiff alleges that she suffered harassment and extortion threats from Mendoza since he viewed her medical records.”5 (Footnotes altered.)
With respect to the plaintiff's negligence based claims in counts two and four of the complaint, the trial court agreed with the defendant's contention that “HIPAA preempts ‘any action dealing with confidentiality/privacy of medical information,’ “ which prompted the court to treat the summary judgment motion as one seeking dismissal for lack of subject matter jurisdiction. In its memorandum of decision, the trial court first considered the plaintiff's negligence claims founded on the violations of the regulations implementing HIPAA. The court first observed the “well settled” proposition that HIPAA does not create a private right of action, requiring claims of violations instead to be raised through the department's administrative channels. The trial court then relied on Fisher v. Yale University, Superior Court, judicial district of New Haven, Complex Litigation Docket, Docket No. X10–CV–04–4003207–S (April 3, 2006), and Meade v. Orthopedic Associates of Windham County, Superior Court, judicial district of Windham, Docket No. CV–06–4005043–S (December 27, 2007),8 and rejected the plaintiff's claim that she had not utilized HIPAA as the basis of her cause of action, but rather, relied on it as “ ‘evidence of the appropriate standard of care’ for claims brought under state law, namely, negligence.”9 Emphasizing that the courts cannot supply a private right of action that the legislature intentionally had omitted, the trial court noted that the “plaintiff has labeled her claims as negligence claims, but this does not change their essential nature. They are HIPAA claims.” The trial court further determined that the plaintiff's statutory negligence claims founded on a violation of § 52–146o were similarly preempted because the state statute had been superseded by HIPAA, and thus the plaintiff's state statutory claim “amount[ed] to a claim for a HIPAA violation, a claim for which there is no private right of action.”10
The trial court concluded similarly with respect to the plaintiff's common-law negligence claims, observing that, under the regulatory definitions implementing HIPAA's preemption provision; see 42 U.S.C. § 1320d7 (a); 45 C.F.R. § 160.202 (2004);11 to “the extent that common-law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule. Because it is not more stringent, according to the definition of 45 C.F.R. § 160.202, the preemption exception does not apply.” For the same reasons, the trial court dismissed count four of the complaint, claiming negligent infliction of emotional distress.
On appeal, the plaintiff claims that the trial court improperly determined that HIPAA preempted her negligence based state law claims. Conceding that there is no private right of action under HIPAA, the plaintiff asserts that she is not asserting a claim for relief premised solely on a violation of HIPAA, but rather, relies heavily on Merrell Dow Pharmaceuticals, Inc. v. Thompson, 478 U.S. 804, 106 S.Ct. 3229, 92 L.Ed.2d 650 (1986), Acosta v. Byrum, 180 N.C.App. 562, 638 S.E.2d 246 (2006), and R.K. v. St. Mary's Medical Cen ter, Inc., 229 W. Va. 712, 735 S.E.2d 715 (2012), cert. denied, U.S., 133 S.Ct. 1738, 185 L.Ed.2d 788 (2013), in support of the proposition that common-law negligence actions, with HIPAA informing the standard of care, may complement rather than “obstruct” HIPAA for preemption purposes. Citing, inter alia, Mead v. Burns, 199 Conn. 651, 662–63, 509 A.2d 11 (1986), and Wendland v. Ridgefield Construction Services, Inc., 184 Conn. 173, 181, 439 A.2d 954 (1981), the plaintiff emphasizes that the use of other state law causes of action to enforce statutes otherwise lacking private rights of action has been upheld by this court in the analogous contexts of the Connecticut Unfair Insurance Practices Act, General Statutes § 38a–815 et seq., and the federal Occupational Safety and Health Act (OSHA), 29 U.S.C. § 651 et seq., and its state counterpart, General Statutes § 31–367 et seq. The plaintiff further argues that, under HIPAA and its implementing regulation; see 42 U.S.C. § 1320d–7 (a)(1); 45 C.F.R. § 160.202; her state law claims for relief are not preempted because it is not “contrary to” HIPAA to provide for damages under state common-law claims for privacy breaches.
In response, the defendant relies on the long line of federal and state cases establishing that there is no private right of action, express or implied, under HIPAA. See, e.g., O'Donnell v. Blue Cross Blue Shield of Wyoming, 173 F.Supp.2d 1176 (D.Wyo.2001); Fisher v. Yale University, supra, Superior Court, Docket No. X10–CV–04–4003207–S. Observing that “playing word games does not change the underlying theory of liability,” the defendant relies on Young v. Carran, 289 S. W.3d 586 (Ky.App.2008), review denied, 2009 Ky. LEXIS 592 (Ky. August 19, 2009), and Bonney v. Stephens Memorial Hospital, 17 A.3d 123 (Me.2011), and contends that, because there is no private right of action under HIPAA, “a plaintiff cannot use a violation of HIPAA as the standard of care for underlying claims, such as negligence.” The defendant further emphasizes that the plaintiff's negligence claim relying on § 52–146o is preempted because HIPAA is more stringent than the state statute. Finally, the defendant also argues briefly, in what appears to be either alternative grounds for affirming the judgment of the trial court or matters likely to arise on remand, that: (1) there is no private right of action under § 52–146o; and (2) it was not obligated, as a matter of law, to inform the plaintiff that it had complied with a subpoena, and its compliance with the subpoena did not violate her privacy rights.13
We note at the outset that whether Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality, including in the context of responding to a subpoena, is not an issue presented in this appeal. Thus, assuming, without deciding, that Connecticut's common law recognizes a negligence cause of action arising from health care providers' breaches of patient privacy in the context of complying with subpoenas,14 we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances.
The defendant's claim that HIPAA preemption shifts the exclusive venue for the resolution of all disputes relating to that statute from the state court to the federal administrative forum implicates our subject matter jurisdiction. See, e.g., Stokes v. Norwich Taxi, LLC, 289 Conn. 465, 488 and n. 18, 958 A.2d 1195 (2008). As the trial court properly noted, the defendant's summary judgment essentially was a “motion to dismiss [that] ․ properly attacks the jurisdiction of the court, essentially asserting that the plaintiff cannot as a matter of law and fact state a cause of action that should be heard by the court․ A motion to dismiss tests, inter alia, whether, on the face of the record, the court is without jurisdiction․ [O]ur review of the court's ultimate legal conclusion and resulting [determination] of the motion to dismiss will be de novo․ In undertaking this review, we are mindful of the well established notion that, in determining whether a court has subject matter jurisdiction, every presumption favoring jurisdiction should be indulged.” (Citation omitted; internal quotation marks omitted.) Conboy v. State, 292 Conn. 642, 650, 974 A.2d 669 (2009); see also Practice Book § 10–31(a)(1).
Whether state causes of action are preempted by federal statutes and regulations is a question of law over which our review is plenary. See, e.g., Hackett v. J.L.G. Properties, LLC, 285 Conn. 498, 502–503, 940 A.2d 769 (2008). Thus, we note that “the ways in which federal law may [preempt] state law are well established and in the first instance turn on congressional intent․ Congress' intent to supplant state authority in a particular field may be express[ed] in the terms of the statute.” (Internal quotation marks omitted.) Id., at 503; see also id., at 504 (“The question of preemption is one of federal law, arising under the supremacy clause of the United States constitution․ Determining whether Congress has exercised its power to preempt state law is a question of legislative intent.” [Internal quotation marks omitted.] ).
Turning to the HIPAA provisions at issue in this appeal, we note by way of background that, “[r]ecognizing the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems, Congress passed HIPAA in August 1996. HIPAA's Administrative Simplification provisions, [§§ ] 261 through 264 of [Public Law 104–191], were designed to improve the efficiency and effectiveness of the health care system by facilitating the exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information in connection with such transactions․
“Within the Administrative Simplification section, Congress included another provision—[§ ] 264—outlining a two-step process to address the need to afford certain protections to the privacy of health information maintained under HIPAA. First, [§ ] 264(a) directed [the department] to submit to Congress within twelve months of HIPAA's enactment ‘detailed recommendations on standards with respect to the privacy of individually identifiable health information.’ ․ Second, if Congress did not enact further legislation pursuant to these recommendations within thirty-six months of the enactment of HIPAA, [the department] was to promulgate final regulations containing such standards.” (Citations omitted; footnote omitted.) South Carolina Medical Assn. v. Thompson, 327 F.3d 346,348 (4th Cir.), cert. denied, 540 U.S. 981, 124 S.Ct. 464, 157 L.Ed.2d 371 (2003). Because Congress ultimately failed to pass any additional legislation, the department's final regulations implementing HIPAA, known collectively as the “Privacy Rule,” were “promulgated in February 2001,” with compliance phased in over the next few years.15 Id., at 349.
With respect to the preemptive effect of HIPAA, 42 U.S.C. § 1320d–7 (a)(i) provides that: “Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall supersede any contrary provi sion of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.” (Emphasis added.) See footnote 1 of this opinion for the complete text of 42 U.S.C. § 1320d–7. The department's regulations, namely, 45 C.F.R. § 160.202 (2004) and 45 C.F.R. § 160.203, provide additional explication of HIPAA's preemptive effect. Specifically, 45 C.F.R. § 160.203 provides as a “general rule” that a “standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law.” (Emphasis added.) A state law is “contrary” to HIPAA if “(1) A covered entity would find it impossible to comply with both the [s]tate and [f]ederal requirements; or (2)[t]he provision of [s]tate law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of [HIPPA], [§ ] 264 of [Public Law] 104–191, as applicable.” (Emphasis added.) 45 C.F.R. § 160.202 (2004). The regulations define a “[s]tate law” as “a constitution, statute, regulation, rule, common law, or other [s]tate action having the force and effect of law.” (Emphasis added .) 45 C.F.R. § 160.202 (2004).
As relevant to this appeal, state laws exempted from preemption include those that “[relate] to the privacy of individually identifiable health information16 and [are] more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter.”17 (Emphasis added; footnote added.) 45 C.F.R. § 160.203(b). A state law is “[m]ore stringent” “in the context of a comparison of a provision of [s]tate law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, [if it] meets one or more of the following criteria:
“(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable․
“(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.” 45 C.F.R. § 160.202 (2004); see also footnote 11 of this opinion.
This statutory and regulatory background brings us to the question in the present appeal, namely, whether HIPAA preempts a state law claim sounding in negligence arising from a health care provider's alleged breach of physician-patient confidentiality in the course of complying with a subpoena. It is by now well settled that the “statutory structure of HIPAA ․ precludes implication of a private right of action. [Section] 1320d–6 [of title 42 of the United States Code]18 expressly provides a method for enforcing its prohibition upon use or disclosure of individual's health information—the punitive imposition of fines and imprisonment for violations.” (Footnote added.) University of Colorado Hospital Authority v. Denver Pub lishing Co., 340 F.Supp.2d 1142, 1145 (D.Colo.2004); see also, e.g., 42 U.S.C. § 1320d–5 (providing for administrative enforcement by department and state attorneys general); Dodd v. Jones, 623 F.3d 563, 569 (8th Cir.2010); Acara v. Banks, 470 F.3d 569, 571 (5th Cir.2006); Rzayeva v. United States, 492 F.Supp.2d 60, 83 (D.Conn.2007); O'Donnell v. Blue Cross Blue Shield of Wyoming, supra, 173 F.Supp. at 2d 1180–81.
Nevertheless, it is similarly well established that, “[o]rdinarily, state causes of action are not [preempted] solely because they impose liability over and above that authorized by federal law.” (Internal quotation marks omitted.) English v. General Electric Co., 496 U.S. 72, 89, 110 S.Ct. 2270, 110 L.Ed.2d 65 (1990); see also id., at 87–90 (state tort claim for intentional infliction of emotional distress arising from termination of whistleblower not preempted by federal legislation intended to occupy field of nuclear safety, even with statutes' provision of administrative remedy for whistleblower violations). As a corollary, “a complaint alleging a violation of a federal statute as an element of a state cause of action, when Congress has determined that there should be no private, federal cause of action for the violation, does not state a claim ‘arising under the [c]onstitution, laws, or treaties of the United States' “ for purposes of federal question jurisdiction under 28 U.S.C. § 1331. Merrell Dow Pharmaceuticals, Inc. v. Thompson, supra, 478 U.S. at 817; see also Grable & Sons Metal Products, Inc. v. Darue Engineering & Mfg., 545 U.S. 308, 319, 125 S.Ct. 2363, 162 L.Ed.2d 257 (2005) ( “[a] general rule of exercising federal jurisdiction over state claims resting on federal mislabeling and other statutory violations would thus have heralded a potentially enormous shift of traditionally state cases into federal courts”).
Consistent with these principles, the regulatory history of the HIPAA demonstrates that neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff's medical records. As the plaintiff aptly notes, one commenter during the rulemaking process had “raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.”19 Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000). In its administrative commentary to the final rule as promulgated in the Federal Register, the department responded to this question by stating, inter alia, that “the fact that a state law allows an individual to file [a civil action] to protect privacy does not c onflict with the HIPAA penalty provisions,” namely, fines and imprisonment. (Emphasis added.) Id. This agency commentary on final rules in the Federal Register is significant evidence of regulatory intent. See, e.g., Exelon Generation Co., LLC v. Local 15, International Brotherhood of Electrical Workers, AFL–CIO, 676 F.3d 566, 573–75 (7th Cir.2012); Southeast Alaska Conservation Council v. United States Army Corps ofEngineers, 486 F.3d 638, 648 (9th Cir.2007), rev'd on other grounds sub nom. Coeur Alaska, Inc. v. Southeast Alaska Con servation Council, 557 U.S. 261, 129 S.Ct. 2458, 174 L.Ed.2d 193 (2009). Indeed, “[w]here an agency has authoritatively interpreted its own rule, courts generally defer to that reading unless it is plainly erroneous or inconsistent with the regulation.” (Internal quotation marks omitted.) Exelon Generation Co., LLC v. Local 15, International Brotherhood of Electrical Workers, AFL–CIO, supra, at 570.
Consistent with this regulatory history, the parties' briefs and our independent research disclose a number of cases from the federal and sister state courts holding that HIPAA, and particularly its implementation through the Privacy Rule regulations, does not preempt causes of action, when they exist as a matter of state common or statutory law, arising from health care providers' breaches of patient confidentiality in a variety of contexts; indeed, several have determined that HIPAA may inform the relevant standard of care in such actions.20 See I.S. v. Washington University, United States District Court, Docket No. 4:11CV235SNLJ (E.D. Mo. June 14, 2011) (The court rejected the defendant's argument that the “negligence per se” count of the plaintiff's complaint, premised on HIPAA violations, “in reality is a claim for violation of HIPAA, which is impermissible under federal law,” but remanding claim to state court because it “does not raise any compelling federal interest nor is a substantial federal question presented. Although HIPAA is clearly implicated in the claim for negligence per se, said claim fall [s] within that broad class of state law claims based on federal regulations in the state court․” [Internal quotation marks omitted.] ); Harmon v. Maury County, United States District Court, Docket No. 1:05CV0026 (M.D.Tenn. August 31, 2005) (concluding that plaintiffs' negligence per se claims founded on violation of HIPAA privacy regulation were not preempted because “HIPAA's provisions do not completely preempt state law and expressly preserve state laws that are not inconsistent with its terms” and “there is no private remedy under federal law and the critical interest is the privacy interests of the [p]laintiffs”); Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812, 823 (Del.Super.2009) (concluding that claim of negligence per se could not be premised on HIPAA violation, but following Toll Bros., Inc. v. Considine, 706 A.2d 493 [Del.1998], holding “that a common law negligence claim can be predicated upon OSHA requirements,” in concluding that common-law negligence claim could utilize HIPAA as “guidepost for determining the standard of care”); Young v. Carran, supra, 289 S.W.3d at 588–89 (rejecting plaintiff's attempt to use HIPAA as foundation for damages claim under state “negligence per se” statute, but observing that state case law permits use of federal statutes otherwise to inform standard of care in common-law negligence action); Bonney v. Stephens Memo rial Hospital, supra, 17 A.3d at 128 (“[a]lthough ․ HIPAA standards, like state laws and professional codes of conduct, may be admissible to establish the standard of care associated with a state tort claim, [HIPAA] itself does not authorize a private action”); Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 49–50 (Minn.App.2009) (concluding that state statutory cause of action for improper disclosure of medical records was not preempted by HIPAA because “[a]lthough the penalties under the two laws differ, compliance with [the Minnesota statute] does not exclude compliance with HIPAA,” and “[r]ather than creating an ‘obstacle’ to HIPAA, [the Minnesota statute] supports at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record”); Acosta v. Byrum, supra, 180 N.C.App. at 571–73 (The court concluded that the trial court improperly dismissed the negligent infliction of emotional distress case because the allegation that, when the psychiatrist “provided his medical access code ․ [he] violated the rules and regulations established by HIPAA ․ does not state a cause of action under HIPAA. Rather, [the] plaintiff cites to HIPAA as evidence of the appropriate standard of care, a necessary element of negligence.”); Sorensen v. Barbuto, 143 P.3d 295, 299 n. 2 (Utah App.2006) (The court noted that, in concluding that the trial court improperly dismissed the plaintiff's claim for breach of professional duties, that the defendant physician “contends that [the plaintiff] is not entitled to a private right of action for breach of professional standards,” but that the plaintiff “does not contend in his brief, however, that a private right of action exists. Rather, [the plaintiff] asserts that the professional standards contribute to the proper standard of care, citing [HIPAA], the American Medical Association's Principles of Medical Ethics, and the Hippocratic Oath.”); R.K. v. St. Mary's Medical Cen ter, Inc., supra, 229 W. Va. at 719–21 (concluding that state law claims for, inter alia, negligence, outrageous conduct, and invasion of privacy arising from defendant hospital staff's disclosure of plaintiff's psychiatric treatment records to his wife's divorce attorney, were not preempted by HIPAA and that goals of common-law remedies and HIPAA “are similar” in that “both protect the privacy of an individual's health care information”); but cf. Espinoza v. Gold Cross Services, Inc., 234 P.3d 156, 158–59 (Utah App.2010) (contrasting similar actions brought under California's unfair competition statute and declining to consider HIPAA copy fee schedules in concluding that plaintiff's common-law unjust enrichment claim arising from defendant's allegedly excessive copying fees failed because “[w]e have no basis in state or federal law to enforce federal regulations promulgated under HIPAA, either directly or as a component of a state cause of action”).21
On the basis of the foregoing authorities, we conclude that, if Connecticut's common law recognizes claims arising from a health care provider's alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims. We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients' medical records pursuant to a subpoena.22 The availability of such private rights of action in state courts, to the extent that they exist as a matter of state law, do not preclude, conflict with, or complicate health care providers' compliance with HIPAA. On the contrary, negligence claims in state courts support “at least one of HIPAA's goals by establishing another disincentive to wrongfully disclose a patient's health care record.” Yath v. Fairview Clinics, N.P., supra, 767 N. W.2d at 50. Accordingly, we conclude that the trial court improperly dismissed counts two and four of the plaintiff's complaint, sounding in negligence and negligent infliction of emotional distress.
Beyond the preemption issue, the parties raise two other matters that require attention because they may provide us with an opportunity to address issues that are likely to arise on remand or potentially provide an alternative basis for affirming the judgment of the trial court, at least in part. See, e.g., Total Recycling Services of Connecticut, Inc. v. Connecticut Oil Recycling Ser vices, LLC, 308 Conn. 312, 325, 63 A.3d 896 (2013). Specifically, we address: (1) the parties' request that we determine whether the defendant was negligent as a matter of law by not informing the plaintiff of the subpoena and by mailing the plaintiff's medical records into court; and (2) the defendant's argument that it is entitled to summary judgment on the plaintiff's state statutory claims because § 52–146o does not provide a private right of action.
Given the apparently undeveloped factual record at this point, and the fact that the plaintiff's breach of contract and negligent misrepresentation claims remain pending, requiring further proceedings before the trial court; see footnote 3 of this opinion; we decline to address this claim further, other than to note that state court pretrial practices must be HIPAA compliant; see, e.g., Law v. Zuckerman, 307 F.Supp.2d 705, 710–11 (D.Md.2004); Arons v. Jutkowitz, 9 N.Y.3d 393, 415, 880 N.E.2d 831, 850 N.Y.S .2d 345 (2007); a requirement that extends to responses to subpoenas. See State v. La Cava, Superior Court, judicial district of Danbury, Docket No. CR–06–0128258–S (May 17, 2007) (43 Conn. L. Rptr. 417, 418) (The trial court granted the hospital's motion to quash the subpoena of the hospital records requested pursuant to General Statutes § 4–104 because “delivery of the hospital record to the clerk of court authorized by § 4–104 constitutes a transfer of protected health information to an outside entity. Yet, under 45 C.F .R. § 164.512[e][ii], a hospital cannot transfer protected health information to an outside entity without receiving the satisfactory assurances set forth in 45 C.F.R. § 164.512[e][ii][A] or [B], or complying with the requirements of 45 C.F.R. § 164.512[e][vi]. Hence, a covered entity would find it impossible to comply with § 4–104 without violating 45 C.F.R. § 164.512 [e].”).
We next turn to the defendant's argument, founded on the Superior Court's decision in Meade v. Orthopedic Associates of Windham County, supra, Superior Court, Docket No. CV–06–4005043–S, that it is entitled to summary judgment on the plaintiff's state law statutory claims under § 52–146o because that statute does not provide a private right of action. The plaintiff does not contend otherwise in her reply brief. Indeed, her arguments on other points therein suggest that her claims in this case are limited to violations of the state common law. We decline to reach the defendant's statutory argument because we do not read the plaintiff's complaint as asserting a statutory right of action under § 52–146o. Accordingly, we take no position on whether § 52–146o provides a statutory right of action.
“The interpretation of pleadings is always a question of law for the court․ Our review of the trial court's interpretation of the pleadings therefore is plenary․ Furthermore, we long have eschewed the notion that pleadings should be read in a hypertechnical manner. Rather, [t]he modern trend, which is followed in Connecticut, is to construe pleadings broadly and realistically, rather than narrowly and technically․ [T]he complaint must be read in its entirety in such a way as to give effect to the pleading with reference to the general theory upon which it proceeded, and do substantial justice between the parties․ Our reading of pleadings in a manner that advances substantial justice means that a pleading must be construed reasonably, to contain all that it fairly means, but carries with it the related proposition that it must not be contorted in such a way so as to strain the bounds of rational comprehension․ Although essential allegations may not be supplied by conjecture or remote implication ․ the complaint must be read in its entirety in such a way as to give effect to the pleading with reference to the general theory upon which it proceeded, and do substantial justice between the parties․ As long as the pleadings provide sufficient notice of the facts claimed and the issues to be tried and do not surprise or prejudice the opposing party, we will not conclude that the complaint is insufficient to allow recovery.” (Citations omitted; internal quotation marks omitted.) Grenier v. Commissioner of Transportation, 306 Conn. 523, 536–37, 51 A.3d 367 (2012).
The operative complaint asserts four counts, each captioned with a common-law cause of action, namely, (1) breach of contract, (2) negligence, (3) negligent misrepresentation, and (4) negligent infliction of emotional distress. The alleged violation of § 52–146o is mentioned once as a specification of negligence in count two, negligence, which is incorporated by reference into count four, stating that “the defendant was negligent and [careless] in one or more of the following ways․ It disclosed the medical file, without authority, in violation of ․ § 52–146o.” In context, with all of the captioned causes of action arising from the common law, we read this single mention of § 52–146o as providing one of several bases for establishing the standard of care applicable to the plaintiff's common-law negligence claims and not as asserting an independent cause of action. See footnote 22 of this opinion and accompanying text. Thus, we conclude that the plaintiff's complaint does not plead a statutory cause of action arising under § 52–146o, and decline to decide whether that statute provides such a private right of action.
The judgment is reversed and the case is remanded to the trial court for further proceedings according to law.
In this opinion PALMER, EVELEIGH, McDONALD and VERTEFEUILLE, Js., concurred.
I agree with parts I and II A of the majority opinion. I respectfully disagree, however, with the majority's decision in part II B of the opinion not to reach and decide the defendant's statutory claim. The majority concludes that the plaintiff did not assert an independent claim under General Statutes § 52–146o because that claim is contained in counts two and four of the amended complaint alleging negligence and negligent infliction of emotional distress, respectively, instead of in a separate count. In my view, however, the majority indulges in an overly technical reading of counts two and four that is inconsistent with the modern view of pleading, which rejects a narrow, formalistic reading of the pleadings in favor of construing pleadings broadly and applying common sense. See, e.g., Fuessenich v. DiNardo, 195 Conn. 144, 150–51, 487 A.2d 514 (1985); Bombero v. Marchionne, 11 Conn.App. 485, 496, 528 A.2d 396 (Borden, J., dissenting), cert. denied, 205 Conn. 801, 529 A.2d 719 (1987); DeMartin v. Yale–New Haven Hospital, 4 Conn.App. 387, 390, 494 A.2d 1222, cert. denied, 197 Conn. 813, 499 A.2d 62 (1985). I thus believe that counts two and four, in which one of the plaintiff's assertions is that the defendant “disclosed the medical file, without authority, in violation of ․ § 52–146o,” directly allege a violation of the statute, and the fact that the allegation is not contained in a separate count is immaterial because the trial court and the parties have treated counts two and four throughout the proceedings as asserting a statutory violation. Accordingly, I believe that the statutory claim was properly raised and should have been decided by this court.
I finally emphasize that, because this court has determined that the issue of whether Connecticut's common law provides a remedy for a health care provider's breach of its duty of confidentiality in the course of complying with a subpoena has not been raised, the issue remains unresolved, which leaves the parties and the trial court to determine the most appropriate course of action as the litigation proceeds.
1. Title 42 of the United States Code, § 1320d–7 (a), provides in relevant part: “(1) ․ Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.“(2) Exceptions“A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall not supersede a contrary provision of State law, if the provision of State law—“(A) is a provision the Secretary determines—“(i) is necessary—(I) to prevent fraud and abuse;(II) to ensure appropriate State regulation of insurance and health plans;(III) for State reporting on health care delivery or costs; or(IV) for other purposes; or“(ii) addresses controlled substances; or“(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information․”
2. We note that the trial court subsequently granted the plaintiff's motion to add Douglas Wolinsky, the bankruptcy trustee appointed by the United States Bankruptcy Court for the District of Vermont, as a party plaintiff. See General Statutes § 52–108; Practice Book § 9–18. For the sake of convenience, all references to the plaintiff in this opinion are to Byrne.
3. Ordinarily, the trial court's dismissal of counts two and four of the operative complaint would not constitute an appealable final judgment. See Kelly v. New Haven, 275 Conn. 580, 594, 881 A.2d 978 (2005). We note, however, that the plaintiff obtained permission to file the present appeal with the Appellate Court pursuant to Practice Book § 61–4. This appeal was subsequently transferred to this court pursuant to General Statutes § 51–199(c) and Practice Book § 65–1.We also note that the defendant filed a cross appeal to the Appellate Court from the trial court's denial of its motion for summary judgment with respect to counts one and three of the complaint. After a hearing, the Appellate Court dismissed the defendant's cross appeal for lack of a final judgment, noting that the defendant had not obtained permission pursuant to Practice Book § 61–4 to appeal from that aspect of the trial court's decision.
4. We note that the operative complaint in the present case alleges that the plaintiff discovered she was pregnant around the same time she terminated her relationship with Mendoza.
5. We also note that, according to the operative complaint, Mendoza has utilized the information contained within these records to file numerous civil actions, including paternity and visitation actions, against the plaintiff, her attorney, her father and her father's employer, and to threaten her with criminal charges.
6. General Statutes § 52–146o provides: “(a) Except as provided in sections 52–146c to 52–146j, inclusive, and subsection (b) of this section, in any civil action or any proceeding preliminary thereto or in any probate, legislative or administrative proceeding, a physician or surgeon, as defined in subsection (b) of section 20–7b, shall not disclose (1) any communication made to him by, or any information obtained by him from, apatient or the conservator or guardian of a patient with respect to any actual or supposed physical or mental disease or disorder, or (2) any information obtained by personal examination of a patient, unless the patient or his authorized representative explicitly consents to such disclosure.“(b) Consent of the patient or his authorized representative shall not be required for the disclosure of such communication or information (1) pursuant to any statute or regulation of any state agency or the rules of court, (2) by a physician, surgeon or other licensed health care provider against whom a claim has been made, or there is a reasonable belief will be made, in such action or proceeding, to his attorney or professional liability insurer or such insurer's agent for use in the defense of such action or proceeding, (3) to the Commissioner of Public Health for records of a patient of a physician, surgeon or health care provider in connection with an investigation of a complaint, if such records are related to the complaint, or (4) if child abuse, abuse of an elderly individual, abuse of an individual who is physically disabled or incompetent or abuse of an individual with intellectual disability is known or in good faith suspected.”We note that the legislature made certain technical changes to § 52–146o subsequent to the events underlying the present appeal. See Public Acts 2011, No. 11–129, § 20. For purposes of convenience and clarity, however, all references to § 52–146o within this opinion are to the current revision of the statute.
7. Specifically, the plaintiff alleged, in paragraphs 25(f), (g), (h), (i) and (j) of the complaint, violations of the following regulations of the department: (1) 45 C.F.R. § 164.512(e)(1)(ii) by “failing to seek itself or obtain ‘satisfactory assurances' from the person seeking the information in that the person seeking the information failed to provide to the defendant proof that reasonable efforts were made to either ․ [e]nsure that the plaintiff was provided sufficient notice of the request, or ․ [s]eek a qualified protective order”; (2) 45 C.F.R. § 164.512(e)(1)(iii) “in failing to determine that the plaintiff had not received satisfactory notice of the request for her records from the face of the subpoena”; (3) 45 C.F.R. §§ 164.508(b)(2) and 164.508c (1)-(3) “in that the subpoena was not a valid authorization to produce the records”; (4) 45 C.F.R. § 164.522 “in failing to follow the plaintiff's request for additional privacy protection of her protected health information from production to the party requesting it”; and (5) 45 C.F.R. § 164.502 “in failing to determine and produce only the minimum necessary data requested.”
8. In Fisher, ajudge of the Superior Court concluded that HIPAA's omission of a private right of action preempts, under 42 U.S .C. § 1320d–7 (a)(2)(B), state law causes of action arising from health care providers' breaches of patient privacy. Specifically, the court concluded that a plaintiff's claim, which was brought under the Connecticut Unfair Trade Practices Act (CUTPA), General Statutes § 42–110a et seq., challenging a hospital's “fail[ure] to comply with HIPAA's privacy requirements” was preempted because “[i]f Congress had intended to allow for a private action as part of this program, it could have included it in the legislation or authorized the Secretary [of the department] to provide for the same by rulemaking,” and “[t]herefore, to the extent CUTPA permits a private right of action for a HIPAA violation, CUTPA constitutes a ‘contrary’ provision of state law and falls within the ambit of the HIPAA general preemption rule.” Fisher v. Yale University, supra, Superior Court, Docket No. X10–CV–04–4003207–S. In so concluding, the court rejected the plaintiff's argument that, “since a violation of HIPAA is a violation of a clearly delineated public policy, it is actionable under CUTPA, and that the ability of a plaintiff to bring the action will result in greater privacy protection to her as a subject of individually identifiable health information.” Id.; see also Salatto v. Hospital of Saint Raphael, Superior Court, judicial district of New Haven, Docket No. CV–09–5032170–S (October 6, 2010) (The trial court granted a motion for summary judgment as to the plaintiff's “negligence per se claims [that] assert that the defendant violated his right to confidentiality, pursuant to HIPAA. It is well settled that HIPAA does not create a private right of action.”); Meade v. Orthopedic Associates of Windham County, supra, Superior Court, Docket No. CV–06–4005043–S(“[t]his court concurs with the reasoning in Fisher and, therefore, finds that the plaintiff's CUTPA claim is preempted by HIPAA and does not provide a private right of action”).
9. The trial court further disagreed with the plaintiff's argument analogizing HIPAA to the federal Occupational Safety and Health Act, 29 U.S.C. § 651 et seq., whose regulations “may be used as evidence of the standard of care in a negligence action against an employer”; Wagner v. Clark Equipment Co., 243 Conn. 168, 188, 700 A.2d 38 (1997); observing that “[n]o such history exists for HIPAA regulations.”
10. Specifically, the trial court noted the “stark difference” between § 52–146o and the more comprehensive safeguards for the disclosure of medical records in administrative and judicial proceedings set forth by 45 C.F.R. § 164.512(e); see footnote 12 of this opinion; and observed that, “[t]o the extent that § 52–146o permits disclosure of protected medical records pursuant to a subpoena without the safeguards required by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA.”
11. Title 45 of the Code of Federal Regulations (2004), § 160.202, implements 42 U.S.C. § 1320d–7, and provides: “For purposes of this subpart, the following terms have the following meanings:“Contrary, when used to compare a provision of [s]tate law to a standard, requirement, or implementation specification adopted under this subchapter, means:(1) A covered entity would find it impossible to comply with both the [s]tate and [f]ederal requirements; or(2) The provision of [s]tate law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act, section 264 of [Public Law] 104–191, as applicable.“More stringent means, in the context of a comparison of a provision of [s]tate law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a[s]tate law that meets one or more of the following criteria:“(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or(ii) To the individual who is the subject of the individually identifiable health information.“(2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable.“(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.“(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.“(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.“(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.“Relates to the privacy of individually identifiable health information means, with respect to a[s]tate law, that the [s]tate law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.“State law means a constitution, statute, regulation, rule, common law, or other [s]tate action having the force and effect of law.” (Emphasis in original.)
12. Title 45 of the Code of Federal Regulations, § 164.512, provides in relevant part: “A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given orally.“(a) Standard: Uses and disclosures required by law. (1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.“(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.* * *“(e) Standard: Disclosures for judicial and administrative proceed ings.—(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.“(iii) For the purposes ofparagraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:(1) No objections were filed; orAll objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.“(iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.“(v) For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(1)(ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.“(vi) Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(iv) of this section.“(2) Other uses and disclosures under this section. The provisions of this paragraph do not supersede other provisions of this section that otherwise permit or restrict uses or disclosures of protected health information․” (Emphasis in original.)
13. Similarly, the plaintiff also asks us, as a matter of judicial economy in the event of a remand, to determine, as a matter of law, whether the defendant's act of mailing the medical records into court in response to the subpoena complied with General Statutes § 52–143 and the federal regulatory provisions under HIPAA, namely, 45 C.F.R. § 164.512(e)(1)(ii) and (iii), with respect to notifying the plaintiff or seeking a qualified protective order. See footnote 12 of this opinion. We address this claim in part II A of this opinion.
14. For additional background discussion of health care providers' common-law duty to protect patient confidences, and the related cause of action, compare, for example, Biddle v. Warren General Hospital, 86 Ohio St.3d 395, 715 N.E.2d 518 (1999), with Quarles v. Sutherland, 215 Tenn. 651, 389 S.W.2d 249 (1965).
15. “The Privacy Rule forbids an organization subject to its requirements (a ‘covered entity’) from using or disclosing an individual's health information (‘protected health information’) except as mandated or permitted by its provisions․ ‘Covered entities' generally include health plans, health care clearinghouses and health care providers such as physicians, hospitals and HMOs․ ‘Protected health information’ encompasses any individually identifiable health information held or transmitted by a covered entity in any form or medium, whether electronic, paper or oral․” (Citations omitted.) Arons v. Jutkowitz, 9 N.Y.3d 393, 412–13, 880 N.E.2d 831, 850 N.Y.S.2d 345 (2007); id. (discussing, inter alia, 45 C.F.R. §§ 164.502[a], 164.512[e] ).In the litigation context specifically, as reflected in 45 C.F.R. § 164.512(e)(1)(i) and (ii), the “Privacy Rule also permits covered entities to use or disclose protected health information without authorization pursuant to a court or administrative order so long as only the protected health information covered by the order is disclosed ․ or in response to a subpoena, discovery request or other lawful process if the entity has received satisfactory assurances that the party seeking the disclosure has made reasonable efforts to ensure that the individual has been given notice of the request, or has made reasonable efforts to secure a qualified protective order from a court or administrative tribunal․” (Citations omitted.) Id., at 414; see footnote 12 of this opinion for the text of 45 C.F.R. § 164.512(e).
16. See footnote 11 of this opinion.
17. Also exempted from preemption are: (1) provisions of state law approved by the secretary of the department subject to certain conditions; see 45 C.F.R. § 160.203(a); (2) a “provision of [s]tate law, including [s]tate procedures established under such law, as applicable, [which] provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention”; 45 C.F.R. § 160.203(c); and (3) a “provision of [s]tate law [that] requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.” 45 C.F.R. § 160.203(d).* * *
18. Title 42 of the United States Code, § 1320d–6 provides: “(a) Offense “A person who knowingly and in violation of this part—(1) uses or causes to be used a unique health identifier;(2) obtains individually identifiable health information relating to an individual; or(3) discloses individually identifiable health information to another person,“shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, aperson (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.“(b) Penalties“A person described in subsection (a) of this section shall—(1) be fined not more than $50,000, imprisoned not more than [one] year, or both;(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than [five] years, or both; and(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than [ten] years, or both.”
19. This question had been raised in connection with proposed language for 45 C.F.R. § 160.202 that would have specifically defined the application of the phrase “more stringent” in a variety of contexts, including stating that “more stringent” means, “[w]ith respect to penalties, provides greater penalties.” (Emphasis added.) Standards for Privacy of Individually Identifiable Health Information, 64 Fed.Reg. 59,918, 60,051 (November 3, 1999); see also id., at p. 59,997 (explaining department's initial decision to provide specific definitions). In the commentary to the final rule, the department stated that it had “reconsidered the proposed ‘penalty’ provision of the proposed definition of ‘more stringent’ and have eliminated it. The HIPAA statute provides for only two types of penalties: fines and imprisonment. Both types of penalties could be imposed in addition to the same type of penalty imposed by a state law, and should not interfere with the imposition of other types of penalties that may be available under state law. Thus, we think it is unlikely that there would be a conflict between state and federal law in this respect, so that the proposed criterion is unnecessary and confusing .” Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000).
20. We also note the body of case law establishing that, in the absence of a private right of action under HIPAA, the federal courts lack jurisdiction to remove actions containing a state law claim relying on HIPAA to support the standard of care. This body of case law indicates HIPAA's failure to preempt state law causes of action by implication. See Hearn v. Reynolds, 876 F.Supp.2d 798, 799–800 (S.D.Miss.2012) (remanding removed case to state court because, although complaint stated that “publications amounted to HIPAA violations,” “HIPAA creates no private right of action” and complaint indicated that plaintiff “is concerned primarily with an intent to injure his standing in the community rather than a disclosure of his medical history”); Baum v. Keystone Mercy Health Plan, 826 F.Supp.2d 718, 721 (E.D.Pa.2011) (remanding removed case to state court although HIPAA “is implicated because the federal statute requires [d]efendants to ‘reasonably safeguard protected health information,’ such as the information on the misplaced USB drive, ‘from any intentional or unintentional use or disclosure’ ․ this is a fairly straightforward state-law tort case” with claims of negligence, negligence per se and violations of Pennsylvania's unfair trade practices statute); K.V. v. Women's Healthcare Network, LLC, United States District Court, Docket No. 07–0228–CV–W–DW (W.D. Mo. June 6, 2007) (The court remanded the removed case, claiming negligence and negligence per se arising from HIPAA violations, to the state court because “the parties concede that various courts around the country have determined that there is no express or implied private cause of action under HIPAA. Additionally, the state law claim raised in [c]ount  does not raise a substantial federal question of great federal interest. The privacy standards imposed by HIPAA are not uniquely federal and do not raise any issue of great federal interest.”); Harmon v. Maury County, United States District Court, Docket No. 1:05CV0026 (M.D.Tenn. August 31, 2005) (The court remanded the removed case to the state court because, although the plaintiffs' negligence per se claims cited HIPAA privacy regulation, “Congress did not provide an exclusive federal remedy under HIPAA and HIPAA does not completely preempt state law. There is no compelling federal interest nor is a substantial federal question presented. [The][p]laintiffs' claims fall within that broad class of state law claims based on federal regulations in the state court, as described in [Grable & Sons Metal Products, Inc. v. Darue Engineering & Mfg., supra, 545 U.S. at 308].”).
21. We find misplaced the defendant's reliance on the Kentucky decision in Young v. Carran, supra, 289 S. W.3d at 586, and the Maine decision in Bonney v. Stephens Memorial Hospital, supra, 17 A.3d at 123. The court in Young held only that HIPAA does not provide a private right of action—a proposition not challenged by the plaintiff in this appeal—and that the HIPAA regulations could not be used to support a negligence per se claim because of a Kentucky statute that previously had been interpreted by the state's Supreme Court to limit negligence per se claims to violations only of Kentucky state statutes. See Young v. Carran, supra, at 588–89, citing T & M Jewelry, Inc. v. Hicks ex rel. Hicks, 189 S .W.3d 526, 530 (Ky.2006). Indeed, the Kentucky court indicated that a properly pleaded claim of negligence, rather than negligence per se, could be founded on federal regulatory violations, noting that, in T & M Jewelry, Inc., the Kentucky Supreme Court had “used provisions of the federal Gun Control Act of 1968 to define a duty of care for purposes of a common law negligence action—not a ․ negligence per se claim.” Young v. Carran, supra, at 589.Bonney similarly held only that HIPAA did not afford the plaintiffs therein a private right of action, and specifically noted that “HIPAA standards, like state laws and professional codes of conduct, may be admissible to establish the standard of care associated with a state tort claim,” which is precisely what the plaintiff in this appeal seeks to do. Bonney v. Stephens Memorial Hospital, supra, 17 A.3d at 127–28.Finally, we disagree with the defendant's attempt to diminish the Utah Court of Appeals decision in Sorensen v. Barbuto, supra, 143 P.3d at 299 n. 2, which had rejected the claim that the plaintiff was “not entitled to a private right of action for breach of professional standards,” which included “HIPAA, the American Medical Association's Principles of Medical Ethics, and the Hippocratic Oath.” The Utah court emphasized that the plaintiff therein did not contend that those provisions afforded him a private right of action, but “[r]ather ․ that the professional standards contribute to the proper standard of care․” Id. Plainly implicit in this conclusion is that it is proper in Utah to utilize HIPAA as evidence of the standard of care in negligence actions.
22. Although it is not entirely clear from her brief, the record, or the allegations in the operative complaint whether the plaintiff seeks to use the HIPAA regulations simply as evidence of the standard of care, or as a basis for negligence per se, this lack of clarity does not affect our preemption analysis. We note, however, that whether the particular HIPAA regulations at issue are suitable for use as a legislatively imposed standard of care for purposes of establishing negligence per se is a potentially complex question of law that has not been adequately briefed by the parties herein, and therefore, is one that we need not decide in this appeal. See, e.g., Gore v. People's Savings Bank, 235 Conn. 360, 380, 665 A.2d 1341 (1995) (“[i]n deciding whether the legislature intended to provide for such statutory liability, we look to the language of the statute and to the legislative history and purposes underlying the provision's enactment”).