New York’s Supreme Court (the trial level court in New York) has reaffirmed that health care providers and health plans (as well as HIPAA Business Associates) assume the lack of a cause of action for improper disclosure or access to Protected Health Information at their peril. In Mott v. Nassau University Medical Center, et. al., 2011 NY Misc LEXIS 325394 (Sept. 23, 2011), the court denied a motion to dismiss a common law claim of breach of fiduciary duty of confidentiality for damages arising from unauthorized access to the medical records of a hospital employee. The plaintiff had previously submitted a complaint to the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services, which dismissed the allegation. The defendant in state court moved to dismiss the common law claim on grounds of collateral estoppel. In denying the motion, the court held that OCR had not considered whether there had been a violation of the fiduciary duty of confidentiality as that obligation is defined under New York law. The lesson in Mott, then, is that covered entities should address state laws and cases regarding breaches of confidentiality in policies, procedures and training – and not to take false comfort in the mistaken notion that aggrieved individuals cannot sue for confidentiality violations.

• Tweet