Jay Reyero, JD, Partner, ByrdAdatto

As a medical facility, any med spa must be HIPAA compliant. While HIPAA does not contain a rule or regulation providing an individual a remedy for a breach nor are violations of HIPAA a specific cause of action, HIPAA is increasingly being accepted as the standard of care with respect to handling confidential patient information.

In a recent Supreme Court decision, Connecticut joined the list of other states recognizing a private cause of action against healthcare providers for HIPAA violations.

In the case, a healthcare provider received a subpoena requesting production of all the medical records of one of its patient involved in a paternity suit. In response to the subpoena the healthcare provider mailed a copy of the medical records to the court. As a result, the other party of the paternity suit obtained access to the medical records and began harassing the patient. The patient sued on multiple negligence counts and breach of contract.

In its opinion, the Connecticut Supreme Court concluded that "a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained in the course of that relationship gives rise to a cause of action sounding in tort against the health care provider, unless the disclosure is otherwise allowed by law." To determine whether disclosure was allowed by law, the Supreme Court pointed to the requirements under HIPAA for responding to a subpoena because:

"to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients' medical records pursuant to a subpoena."

While most healthcare providers think of HIPAA as only an enforcement tool utilized by the Federal Government, this case further demonstrates the increasing use of HIPAA as the standard of care when it comes to common-law causes of action. Regardless of whether HIPAA is applicable to a particular healthcare provider, all healthcare providers need to be cognizant of its rules and regulations, as they may be held to such standards and rules.

HIPAA isn't the only standard that could come into play as typically there are other standards such as state law, licensing board rules, and ethical rules. Healthcare providers would be wise to reevaluate their policies and procedures and ensure they are in line with the applicable rules and standards to ensure the proper handling of confidential patient information within their organization. AmSpa members can check their state's medical aesthetic legal summary to find the laws governing their practice.

For more information on patient privacy requirements in medical spas sign up for AmSpa's live webinar on the topic, free to AmSpa members.

Jay Reyero, JD, is a partner at the business, healthcare, and aesthetic law firm of ByrdAdatto. He has a background as both a litigator and transactional attorney, bringing a unique and balanced perspective to the firm's clients. His health care and regulatory expertise involves the counseling and advising of physicians, physician groups, other medical service providers and non-professionals. Specific areas of expertise include Federal and State health care regulations and how they impact investments, transactions and various contractual arrangements, particularly in the areas of Federal and State anti-referral, anti-kickback and HIPAA compliance.