Factors for Connecticut Health Providers to Consider When Responding to “Required by Law” Requests for Disclosure of Protected Health
Protected Health Information

In June 2022, the HHS Office for Civil Rights issued new HIPAA Privacy Rule Guidance in response to the Supreme Court’s decision in Dobbs v Jackson Women’s Health Organization and state legislation which followed the decision outlawing or severely restricting access to reproductive health care services.  This guidance reminds HIPAA covered entities that (1) the Privacy Rule permits but does not require disclosure of protected health information (PHI) under certain circumstances, and (2) required by law permissible disclosures are limited to a mandate contained in law that compels an entity to make a use or disclosure of PHI, and that is enforceable in a court of law.

The Privacy Rule guidance warns that disclosures of PHI that do not meet the required by law definition in the HIPAA rules or that exceed what is required by such law, do not qualify as permissible disclosures, triggering a breach of unsecured PHI notice to HHS and the individual affected by the disclosure.  Under the HIPAA Privacy Rule required by law disclosures without patient consent may be made in response to subpoenas in a civil matter provided the procedural safeguards required under HIPAA are followed.

Connecticut HIPAA covered entities who are asked to disclose PHI without explicit patient consent must also consider whether such disclosure is permitted under Connecticut law. Under CGS 52-146o Connecticut has provided physicians and other health care providers with an evidentiary privilege to not disclose (1) any communication made by a patient with respect to any actual or supposed physical or mental disease or disorder, or (2) any information obtained by examination of the patient without the explicit consent of the patient. The statute also permits disclosure of PHI without patient consent under certain circumstances including if disclosure is required under any statute or regulation of any state agency or rules of court.

Connecticut Public Acts 22-19 and 22-118 effective July 1, 2022, create similar evidentiary privilege/disclosure without patient consent exceptions for reproductive and gender-affirming health care services. “Reproductive health care services” includes all medical, surgical, counseling or referral services relating to the human reproductive system, including but not limited to services relating to pregnancy, contraception or the termination of a pregnancy. “Gender-affirming health care services” includes all medical care relating to the treatment of gender dysphoria.  Both Public Acts impose an affirmative obligation on HIPAA covered entities to inform patients of their right to withhold consent to disclosures regarding their reproductive or gender-affirming health care services.

The 2014 Connecticut Supreme Court’s Byrne v Avery Center for Obstetrics and Gynecology, P.C. (2014) held that “HIPAA regulations may be utilized to inform the applicable standard of care” for disclosing PHI pursuant to a subpoena without a patient’s consent. Subsequently, in Byrne v. Avery Center for Obstetrics and Gynecology, P.C.(2018) the Connecticut Supreme Court recognized a common law duty of confidentiality arising from the physician-patient relationship and established a new private cause of action for breach of the duty of confidentiality.. See Pullman Blog re Byrne.

Connecticut health care providers need to be alert to the nuanced differences between the HIPAA Privacy Rule and Connecticut law regarding the disclosure or use of PHI.  There is no private right of action under HIPAA for a breach of unsecured PHI but Connecticut providers may now be sued for breach of the duty of confidentiality if unsecured PHI is improperly disclosed. HIPAA permits disclosure of PHI in response to an attorney issued subpoena under certain circumstances.  Connecticut does not permit such disclosures, in the absence of a court order, without the explicit consent of the patient. The prudent conclusion is that once it is determined that Connecticut law permits the disclosure, HIPAA procedures should be followed in order to minimize the likelihood of a successful breach of confidentiality claim from the patient.

If you have any questions about any of the matters discussed above,  please contact Sharon Freilich or any of our Pullman & Comley health law attorneys.

Posted in Privacy

Related Practices & Industries

This blog/web site presents general information only. The information you obtain at this site is not, nor is it intended to be, legal advice, and you should not consider or rely on it as such. You should consult an attorney for individual advice regarding your own situation. This website is not an offer to represent you. You should not act, or refrain from acting, based upon any information at this website. Neither our presentation of such information nor your receipt of it creates nor will create an attorney-client relationship with any reader of this blog. Any links from another site to the blog are beyond the control of Pullman & Comley, LLC and do not convey their approval, support or any relationship to any site or organization. Any description of a result obtained for a client in the past is not intended to be, and is not, a guarantee or promise the firm can or will achieve a similar outcome.

Subscribe to Updates

About Our Connecticut Health Law Blog

Alerts, commentary and insights from the attorneys of Pullman & Comley’s Health Care practice on legal developments affecting hospitals, physician groups, pharmaceutical and medical device companies as well as other health care providers and suppliers.

Other Blogs by Pullman & Comley

Education Law Notes

For What It May Be Worth

Working Together

Recent Posts


Jump to Page