Until recently, there was some question as to whether a patient in New York had the right to seek compensatory and/or punitive damages when her right to privacy is violated by a medical provider. I frequently receive calls from people in our community wishing to bring actions for “HIPAA violations”, and have explained on countless occasions that the federal bill is regulatory in nature, and does not give rise to private causes of action.  In fact, I did a blog post under HIPAA’s shortcomings in 2008 called HIPAA – Another Case of Powerful Rights and Wimpy Remedies.

However, I was recently approached by a potential client with egregious facts involving disclosure of very personal information, prompting me to take a closer look at New York state law to see if it provides a remedy for her.

Cause of Action Against Medical Providers under CPLR 4504

As it turns out, the New York Court of Appeals spoke directly to this issue last year in Chanko v. American Broadcasting Companies, Inc., 27 N.Y.3d 46 (2016).  In Chanko, family members of a deceased hospital patient brought an action against a television network, hospital, and treating physician, relating to filming of the patient’s medical treatment and death in a hospital emergency room, with a portion of the footage broadcast as part of documentary series about medical trauma.

The Court held there is a cause of action in New York for breach of confidentiality under CPLR 4504 which states, “[u]nless the patient waives the privilege, a person authorized to practice medicine … shall not be allowed to disclose any information which he [or she] acquired in attending a patient in a professional capacity, and which was necessary to enable him [or her] to act in that capacity.” Id. at 52.

Describing its rationale, the Court observed that the policy objectives of CLPR 4504 are to:

  1. Maximize unfettered communication between patients and medical professionals, so that people will not be deterred by possible public disclosure “from seeking medical help and securing adequate diagnosis and treatment”;
  2. Encourage physicians to candidly record confidential information in medical records, so they are not torn between the legal duty to testify and the professional obligation to honor patient confidences; and
  3. Protect the reasonable privacy expectations of patients that their sensitive personal information will not be disclosed.

And, the Court reasoned that a private cause of action is reasonable as the “disclosure of secrets acquired when treating a patient naturally shocks our sense of decency and propriety, which is one reason it is forbidden.” Id at 53.

Specifically related to emergency care, the Court noted, “patients should not fear that merely by obtaining emergency medical care they may lose the confidentiality of their medical records and their physicians’ medical determinations. A contrary result would discourage critical emergency care, intrude on patients’ confidential medical relationships and undermine patients’ reasonable expectations of privacy”. Id.

Causes of Action Medical Employers

As with any malpractice case, direct causes of action may be asserted against a medical provider’s employer for its own conduct, be it negligent hiring, supervision or other negligence, may still be maintained (see Judith M. v. Sisters of Charity Hosp., 93 N.Y.2d 932, 934 [1999] ).

A medical corporation may also be liable in tort for failing to establish adequate policies and procedures to safeguard the confidentiality of patient information or to train their employees to properly discharge their duties under those policies and procedures, providing incentive for medical providers create appropriate safeguards to ensure protection of a patient’s confidential information.

This is really good news for New Yorkers, and will hopefully allow me to help someone right a very egregious wrong.