Avoiding a Breach of Confidentiality

For the past several years, physicians and other health care providers have focused most, if not all, of their attention on the various patient health information confidentiality requirements imposed by the federal government's Health Insurance Portability and Accountability Act (HIPAA). HIPAA's enactment has ' or should have ' caused health care providers to become sensitized to the fact that patient confidentiality must be preserved, and compliance with the various rules and regulations contained in the legislation is required.

However, less attention has been accorded to individual state-statute based patient confidentiality requirements, many of which existed for a significant period of time before the enactment of HIPAA. Other privacy right claims can be made based on traditional tort concepts, such as breach of contract and negligence. Physicians and other health care providers should remember to spend some of their energies focusing on these issues and on state privacy laws that exist independently of HIPAA, since they can give rise to causes of actions by aggrieved patients.

State Medical-Privacy Law: A New York Case Says Punitives Are Authorized

Some states, including New York, have statutes on their books protecting patient medical information from unauthorized dissemination. In the event confidential patient information is improperly released, certain state laws will allow the offending doctor, nurse or healthcare facility to be held liable not only for consequential damages but also for punitive damages. For example, in a recent case, a New York State appellate court upheld a lower court's award of damages to the plaintiff patient for breach of privacy and referred the case back to the trial court for a determination of punitive damages. Randi A.J. v. Long Island Surgi-Center, 43 AD3d 74 (2d Dept. 2007).

The plaintiff in Randi A.J. was a 20-year-old unmarried woman who underwent an abortion. Because her parents strongly disapproved of both pre-marital sex and abortion, the patient, who lived with her parents, specifically instructed the health care provider's office that all phone calls were to be made to her work or cell phone numbers, not to her home. A nurse, however, called the plaintiff's home the day after the procedure, spoke with her mother, and provided her with enough information indirectly relating to the abortion that the mother was able to put two and two together. The patient sued the center, claiming violation of confidentiality, privacy and fiduciary duties. She asked the court not only for compensatory damages, but also for punitive damages.

During the trial, the health care provider testified regarding the manner in which it handled the patient's request that her home phone number not be used. That testimony revealed that the health care provider had no special form or process for recording a patient's instructions regarding confidentiality and privacy instructions, and that it did not have any written plan to protect the patient's confidentiality. The testimony also showed that there was no bad faith or intentional violation of the patient's rights, nor was any act done maliciously with the purpose of causing injury. The jury found that the health care facility had violated the patient's right to privacy as imposed by state statute, and that the patient had suffered damages as a result of the ensuing conflicts that arose between herself and her parents. It awarded the plaintiff $65,000 in compensatory damages, for past and future emotional distress. The jury also awarded her $300,000 in punitive damages.

New York's Appellate Division, Second Department, affirmed the award, unanimously, in the case of the compensatory damages. The five-member panel was split as to the punitive award, however, voting 3-2 to affirm.

Writing for the majority, Justice Steven Fisher took note of the fact that punitive damages are usually reserved for cases in which defendants commit intentional torts, like fraud. Nonetheless, in cases of willful or wanton negligence or recklessness, they may be justified if the state has a strong public policy reason for wanting to deter the defendant or others from indulging in the same or similar conduct again.

Why the Verdict

In this case, several things had been done incorrectly by the surgical center, leaving open the very real possibility that a breach of confidentiality could occur. Among these were the lack of a written plan for protecting patient privacy, including patient medical records, from disclosure. New York's Public Health Law ' 2803-c requires such written plans. In addition:

• The nursing staff at the center did not fully understand the unwritten 'no call' policy;
• The center's admitting staff routinely put pre-printed labels containing patient contact information on most pages of each patient's medical file without asking about or noting whether the patient had made a contrary contact-method request;
• The center apparently violated New York's Hospital Code by failing to have the blood test results before the abortion was performed, necessitating the call to the patient's home the next day;
• The nurse who called the plaintiff's home knew she was speaking to someone other than the patient, but apparently did not feel constrained by patient privacy concerns to refrain from divulging personal medical information to the third party;
• An administrator at the center, who was involved with a State Health Department investigation into the incident, could not recall that the Health Department had found the center in breach of its confidentiality obligations to the plaintiff, indicating that the center's administration was not serious about imposing reforms to prevent future breaches; and
• The center apparently took no disciplinary action against the nurse who made the call to the plaintiff's home, even though its own internal written policies said that employees who breached patient confidentiality codes could be fired.

The majority concluded that these and other considerations, taken together, indicated that the center could be subject to similar lapses in the future. In order to prevent comparable breaches from occurring at this and other medical facilities, award of punitive damages was justified.

The Dissent

The minority justices found punitive damages excessive in this case. They pointed out, in an opinion written by Justice Gabriel Krausman, that punitive damages are usually reserved for the most egregious tortfeasors; those who exhibit malice, or who commit a deliberate fraud, for example. The center's employees had committed their breaches inadvertently, and with the intent to protect the patient's health.

Justice Krausman compared the Randi A.J. case to a sensational recent case, Ross v. Louise Wise Services Inc., 8 NY3d 478 (2007). In Ross, the parents of an adoptive child sued the adoption agency from which they had gotten their son, who exhibited anti-social behaviors from toddlerhood on and eventually had to be institutionalized for paranoid schizophrenia. The parents had specifically asked the adoption agency about the child's family's medical history prior to accepting him into their family. They were told only about some family history of heart problems and penicillin allergy; the agency knew about but deliberately kept from the adoptive parents the significant mental health histories of both the birth-mother and birth-father's families. New York's highest court, the Court of Appeals, declined to impose punitive damages in that case, finding the actions of the adoption agency personnel did not rise to the level of moral turpitude required before punitive damages are justified.

Looking at the Ross outcome, Judge Krausman concluded that the Court of Appeals had clearly pronounced that 'in this State, such damages are to be reserved for exceptional misconduct.' Thus, punitive damages in the Randi A.J. case should not stand.

Clarification of the issue of what level of scienter is necessary before punitive damages may be awarded under New York State law when a medical privacy breach occurs will have to wait; the parties settled soon after the Appellate Department issued its decision.

Negligence and Invasion of Privacy: A California Case

Even when state patient privacy laws are lacking, breaches of medical confidentiality principles can land medical providers in court. A case from California offers one example.

In Poli v. Mountain Valleys Health Centers Inc., Not Reported in F.Supp.2d, 2006 WL 83378 (E.D.Cal.,2006), the plaintiff worked for Mountain Valleys Health Center as a physician assistant and nurse practitioner from 2002 until November 2005. While employed there, plaintiff and other physician assistants often received prescription recommendations from doctors, transmitted the prescription to a pharmacy, and had the prescription filled for their own personal use. The plaintiff got one such recommendation from a doctor at the facility. That doctor recommended the plaintiff take the prescription medication Xanax and gave his approval for the plaintiff to order it. Plaintiff then called a pharmacy operated by defendant Rite Aid and told the pharmacist that the doctor had recommended he use Xanax. The pharmacy filled the prescription, providing plaintiff with 20 Xanax pills.

Soon thereafter, a county sheriff stopped the plaintiff as he was driving, discovered the Xanax in the car and proceeded to conduct an investigation into the legality of plaintiff's possession of the drug. The sheriff contacted Mountain Valleys and requested plaintiff's medical records, but Mountain Valleys had no such records. This being the case, Mountain Valleys called defendant Rite Aid and obtained plaintiff's prescription records. Mountain Valleys placed plaintiff on administrative leave pending the outcome of the investigation, and eventually terminated his employment.

Plaintiff sued Rite Aid alleging that '[i]n wrongfully releasing Plaintiff's medical information, Defendant [Rite Aid] violated public policy by failing to comply with 42 U.S.C. 1320,' the Health Insurance Portability and Accountability Act (HIPAA). The plaintiff also alleged violation of California state law, specifically negligence and invasion of privacy. The court dismissed the HIPAA cause of action, finding that that statute contained no express or implied private right of action for its breach. The state-law negligence and invasion-of-privacy claims were allowed to go forward, however.

In California, a plaintiff must allege four elements to state a cause of action for negligence: 1) duty; 2) breach; 3) causation; and 4) damages. Ileto v. Glock Inc., 349 F.3d 1191, 1203 (9th Cir.2003). The Poli plaintiff had alleged, 'Defendants had a duty not to disclose medical information without adequate cause or a proper subpoena. Defendants breached this duty by disclosing Plaintiff's medical information to a third party without adequate cause or a proper subpoena. As a proximate result … Plaintiff has become mentally traumatized, distressed and aggravated.' These allegations, the court determined, covered all four elements of the state-law-based tort of negligence. Thus, the motion to dismiss the negligence claim was denied.

Similarly, the invasion of privacy claim could not be dismissed because plaintiff had alleged the requisite elements of that tort, namely: 1) that he had a legally protected privacy interest; 2) that he had a reasonable expectation of privacy under the circumstances; and 3) that the defendant's conduct amounted to a serious invasion of a protected privacy interest. Egan v. Schmock, 93 Fed. Supp.2d 1090 (N.D.Cal.2000). Here, the court found that 'a reasonable person could have an expectation of privacy under the circumstances alleged by plaintiff.'

Breach of Contract: A Connecticut Plaintiff Takes Another Tack

Another way in which a patient could recover for unauthorized release of private medical information is breach of contract. That is the basis upon which the plaintiff sought damages in Meade v. Orthopedic Associates of Windham County, Not Reported in A.2d, 2007 WL 4755001(Conn.Super.,2007).

The court there allowed the claim to go forward, in spite of the fact that there is no established cause of action in Connecticut for breach of confidence in the context of a patient-physician or patient-hospital relationship.

The plaintiff in Meade filed a 16-count complaint against defendant Day Kimball Hospital, which had treated him for alcohol abuse. The court threw out all but one of those counts, leaving in place the contract breach claim. The facts alleged to support the breach of contract claim were these: that Day Kimball was 'a covered entity pursuant to the Health Insurance Portability and Accountability Act (HIPAA)' and was 'required to comply with provisions of 42 USC Part 2 relating to confidentiality of medical records of persons undergoing treatment for substance abuse.' While at Day Kimball Hospital for treatment of alcoholism, plaintiff had signed an authorization-for-release-of-information form. That form named all the persons and institutions to which the patient authorized released of his medical records. Not included on that list was Orthopedics Associates. However, at the request of an 'employee of Orthopedics Associates' ' with which Day Kimball had a business agreement ' Day Kimball released the plaintiff's medical records to Orthopedics Associates. Plaintiff had never been a patient of Orthopedics Associates. (Apparently not coincidentally, plaintiff's ex-wife worked at Orthopedics Associates.) Plaintiff found out about the release of his records when his ex-wife moved the custody court handling his domestic legal issues to modify custody because of plaintiff's alleged severe alcoholism. Plaintiff alleged his ex-wife also notified his business associates and others that he was being treated for alcoholism, ruining his reputation in the community.

The court handling the contract claim against the hospital noted that, in Connecticut, 'The elements of a breach of contract action are the formation of an agreement, performance by one party, breach of the agreement by the other party and damages.' Chiulli v. Zola, 97 Conn.App. 699 (2006). Here, the plaintiff alleged that Day Kimball 'entered a contractual relationship with plaintiff to provide care and treatment to him in accordance with its institutional policies and procedures, and with public law and policy.' Although the plaintiff did not allege that the parties entered into a written contract, he did allege that he executed an authorization for release of information in which he 'expressly' identified 'those person[s] to whom defendant Day Kimball was authorized to release his medical records and protected health information.' The court concluded, based on these allegations, that '[a]t a minimum, there appears to be an implied contract between the parties concerning the plaintiff's alcohol treatment program. The plaintiff alleges that Day Kimball breached its contract with the plaintiff by violating its own institutional policies and procedures as reflected in the hospital's use of an authorization, and public law and policy as reflected in HIPAA.' This, the court found, was sufficient to defeat the defendant's motion to dismiss the breach of contract action.

Conclusion

When a patient sues for violation of a state legislated right to privacy, breach of contract or on some other basis, courts will obviously have to scrutinize the individual facts and circumstances of the case to determine whether the violation was sufficiently negligent, reckless, or even knowingly conducted to warrant imposition of punitive damages, or even liability. But a state's strong interest in supporting patient privacy, which could lead to liability and the imposition of punitive damages, highlights the importance of strictly maintaining patient privacy and confidentiality.

To avoid liability, physicians and health care entities must have written policies and procedures in place to deal with privacy issues so that even a well intentioned, but nonetheless inappropriate, disclosure of private health information can be prevented. Attention needs to be given not exclusively to HIPAA, but to all applicable federal, state and local laws, rules and regulations that exist to protect patient privacy.

Gary S. Sastow, Esq. is of counsel at Meiselman, Denlea, Packman, Carton & Eberz P.C., located in White Plains, NY. For nearly 30 years, Meiselman, Denlea has represented physicians and other health care providers in litigation, transactional and regulatory matters. He can be reached at 914-517-5000, or [email protected]. Janice G. Inman is Editor-in-Chief of this newsletter.

For the past several years, physicians and other health care providers have focused most, if not all, of their attention on the various patient health information confidentiality requirements imposed by the federal government's Health Insurance Portability and Accountability Act (HIPAA). HIPAA's enactment has ' or should have ' caused health care providers to become sensitized to the fact that patient confidentiality must be preserved, and compliance with the various rules and regulations contained in the legislation is required.

However, less attention has been accorded to individual state-statute based patient confidentiality requirements, many of which existed for a significant period of time before the enactment of HIPAA. Other privacy right claims can be made based on traditional tort concepts, such as breach of contract and negligence. Physicians and other health care providers should remember to spend some of their energies focusing on these issues and on state privacy laws that exist independently of HIPAA, since they can give rise to causes of actions by aggrieved patients.

State Medical-Privacy Law: A New York Case Says Punitives Are Authorized

Some states, including New York, have statutes on their books protecting patient medical information from unauthorized dissemination. In the event confidential patient information is improperly released, certain state laws will allow the offending doctor, nurse or healthcare facility to be held liable not only for consequential damages but also for punitive damages. For example, in a recent case, a New York State appellate court upheld a lower court's award of damages to the plaintiff patient for breach of privacy and referred the case back to the trial court for a determination of punitive damages. Randi A.J. v. Long Island Surgi-Center , 43 AD3d 74 (2d Dept. 2007).

The plaintiff in Randi A.J. was a 20-year-old unmarried woman who underwent an abortion. Because her parents strongly disapproved of both pre-marital sex and abortion, the patient, who lived with her parents, specifically instructed the health care provider's office that all phone calls were to be made to her work or cell phone numbers, not to her home. A nurse, however, called the plaintiff's home the day after the procedure, spoke with her mother, and provided her with enough information indirectly relating to the abortion that the mother was able to put two and two together. The patient sued the center, claiming violation of confidentiality, privacy and fiduciary duties. She asked the court not only for compensatory damages, but also for punitive damages.

During the trial, the health care provider testified regarding the manner in which it handled the patient's request that her home phone number not be used. That testimony revealed that the health care provider had no special form or process for recording a patient's instructions regarding confidentiality and privacy instructions, and that it did not have any written plan to protect the patient's confidentiality. The testimony also showed that there was no bad faith or intentional violation of the patient's rights, nor was any act done maliciously with the purpose of causing injury. The jury found that the health care facility had violated the patient's right to privacy as imposed by state statute, and that the patient had suffered damages as a result of the ensuing conflicts that arose between herself and her parents. It awarded the plaintiff $65,000 in compensatory damages, for past and future emotional distress. The jury also awarded her $300,000 in punitive damages.

New York's Appellate Division, Second Department, affirmed the award, unanimously, in the case of the compensatory damages. The five-member panel was split as to the punitive award, however, voting 3-2 to affirm.

Writing for the majority, Justice Steven Fisher took note of the fact that punitive damages are usually reserved for cases in which defendants commit intentional torts, like fraud. Nonetheless, in cases of willful or wanton negligence or recklessness, they may be justified if the state has a strong public policy reason for wanting to deter the defendant or others from indulging in the same or similar conduct again.

Why the Verdict

In this case, several things had been done incorrectly by the surgical center, leaving open the very real possibility that a breach of confidentiality could occur. Among these were the lack of a written plan for protecting patient privacy, including patient medical records, from disclosure. New York's Public Health Law ' 2803-c requires such written plans. In addition:

• The nursing staff at the center did not fully understand the unwritten 'no call' policy;
• The center's admitting staff routinely put pre-printed labels containing patient contact information on most pages of each patient's medical file without asking about or noting whether the patient had made a contrary contact-method request;
• The center apparently violated New York's Hospital Code by failing to have the blood test results before the abortion was performed, necessitating the call to the patient's home the next day;
• The nurse who called the plaintiff's home knew she was speaking to someone other than the patient, but apparently did not feel constrained by patient privacy concerns to refrain from divulging personal medical information to the third party;
• An administrator at the center, who was involved with a State Health Department investigation into the incident, could not recall that the Health Department had found the center in breach of its confidentiality obligations to the plaintiff, indicating that the center's administration was not serious about imposing reforms to prevent future breaches; and
• The center apparently took no disciplinary action against the nurse who made the call to the plaintiff's home, even though its own internal written policies said that employees who breached patient confidentiality codes could be fired.

The majority concluded that these and other considerations, taken together, indicated that the center could be subject to similar lapses in the future. In order to prevent comparable breaches from occurring at this and other medical facilities, award of punitive damages was justified.

The Dissent

The minority justices found punitive damages excessive in this case. They pointed out, in an opinion written by Justice Gabriel Krausman, that punitive damages are usually reserved for the most egregious tortfeasors; those who exhibit malice, or who commit a deliberate fraud, for example. The center's employees had committed their breaches inadvertently, and with the intent to protect the patient's health.

Justice Krausman compared the Randi A.J. case to a sensational recent case, Ross v. Louise Wise Services Inc. , 8 NY3d 478 (2007). In Ross, the parents of an adoptive child sued the adoption agency from which they had gotten their son, who exhibited anti-social behaviors from toddlerhood on and eventually had to be institutionalized for paranoid schizophrenia. The parents had specifically asked the adoption agency about the child's family's medical history prior to accepting him into their family. They were told only about some family history of heart problems and penicillin allergy; the agency knew about but deliberately kept from the adoptive parents the significant mental health histories of both the birth-mother and birth-father's families. New York's highest court, the Court of Appeals, declined to impose punitive damages in that case, finding the actions of the adoption agency personnel did not rise to the level of moral turpitude required before punitive damages are justified.

Looking at the Ross outcome, Judge Krausman concluded that the Court of Appeals had clearly pronounced that 'in this State, such damages are to be reserved for exceptional misconduct.' Thus, punitive damages in the Randi A.J. case should not stand.

Clarification of the issue of what level of scienter is necessary before punitive damages may be awarded under New York State law when a medical privacy breach occurs will have to wait; the parties settled soon after the Appellate Department issued its decision.

Negligence and Invasion of Privacy: A California Case

Even when state patient privacy laws are lacking, breaches of medical confidentiality principles can land medical providers in court. A case from California offers one example.

In Poli v. Mountain Valleys Health Centers Inc., Not Reported in F.Supp.2d, 2006 WL 83378 (E.D.Cal.,2006), the plaintiff worked for Mountain Valleys Health Center as a physician assistant and nurse practitioner from 2002 until November 2005. While employed there, plaintiff and other physician assistants often received prescription recommendations from doctors, transmitted the prescription to a pharmacy, and had the prescription filled for their own personal use. The plaintiff got one such recommendation from a doctor at the facility. That doctor recommended the plaintiff take the prescription medication Xanax and gave his approval for the plaintiff to order it. Plaintiff then called a pharmacy operated by defendant Rite Aid and told the pharmacist that the doctor had recommended he use Xanax. The pharmacy filled the prescription, providing plaintiff with 20 Xanax pills.

Soon thereafter, a county sheriff stopped the plaintiff as he was driving, discovered the Xanax in the car and proceeded to conduct an investigation into the legality of plaintiff's possession of the drug. The sheriff contacted Mountain Valleys and requested plaintiff's medical records, but Mountain Valleys had no such records. This being the case, Mountain Valleys called defendant Rite Aid and obtained plaintiff's prescription records. Mountain Valleys placed plaintiff on administrative leave pending the outcome of the investigation, and eventually terminated his employment.

Plaintiff sued Rite Aid alleging that '[i]n wrongfully releasing Plaintiff's medical information, Defendant [Rite Aid] violated public policy by failing to comply with 42 U.S.C. 1320,' the Health Insurance Portability and Accountability Act (HIPAA). The plaintiff also alleged violation of California state law, specifically negligence and invasion of privacy. The court dismissed the HIPAA cause of action, finding that that statute contained no express or implied private right of action for its breach. The state-law negligence and invasion-of-privacy claims were allowed to go forward, however.

In California, a plaintiff must allege four elements to state a cause of action for negligence: 1) duty; 2) breach; 3) causation; and 4) damages. Ileto v. Glock Inc. , 349 F.3d 1191, 1203 (9th Cir.2003). The Poli plaintiff had alleged, 'Defendants had a duty not to disclose medical information without adequate cause or a proper subpoena. Defendants breached this duty by disclosing Plaintiff's medical information to a third party without adequate cause or a proper subpoena. As a proximate result … Plaintiff has become mentally traumatized, distressed and aggravated.' These allegations, the court determined, covered all four elements of the state-law-based tort of negligence. Thus, the motion to dismiss the negligence claim was denied.

Similarly, the invasion of privacy claim could not be dismissed because plaintiff had alleged the requisite elements of that tort, namely: 1) that he had a legally protected privacy interest; 2) that he had a reasonable expectation of privacy under the circumstances; and 3) that the defendant's conduct amounted to a serious invasion of a protected privacy interest. Egan v. Schmock , 93 Fed. Supp.2d 1090 (N.D.Cal.2000). Here, the court found that 'a reasonable person could have an expectation of privacy under the circumstances alleged by plaintiff.'

Breach of Contract: A Connecticut Plaintiff Takes Another Tack

Another way in which a patient could recover for unauthorized release of private medical information is breach of contract. That is the basis upon which the plaintiff sought damages in Meade v. Orthopedic Associates of Windham County, Not Reported in A.2d, 2007 WL 4755001(Conn.Super.,2007).

The court there allowed the claim to go forward, in spite of the fact that there is no established cause of action in Connecticut for breach of confidence in the context of a patient-physician or patient-hospital relationship.

The plaintiff in Meade filed a 16-count complaint against defendant Day Kimball Hospital, which had treated him for alcohol abuse. The court threw out all but one of those counts, leaving in place the contract breach claim. The facts alleged to support the breach of contract claim were these: that Day Kimball was 'a covered entity pursuant to the Health Insurance Portability and Accountability Act (HIPAA)' and was 'required to comply with provisions of 42 USC Part 2 relating to confidentiality of medical records of persons undergoing treatment for substance abuse.' While at Day Kimball Hospital for treatment of alcoholism, plaintiff had signed an authorization-for-release-of-information form. That form named all the persons and institutions to which the patient authorized released of his medical records. Not included on that list was Orthopedics Associates. However, at the request of an 'employee of Orthopedics Associates' ' with which Day Kimball had a business agreement ' Day Kimball released the plaintiff's medical records to Orthopedics Associates. Plaintiff had never been a patient of Orthopedics Associates. (Apparently not coincidentally, plaintiff's ex-wife worked at Orthopedics Associates.) Plaintiff found out about the release of his records when his ex-wife moved the custody court handling his domestic legal issues to modify custody because of plaintiff's alleged severe alcoholism. Plaintiff alleged his ex-wife also notified his business associates and others that he was being treated for alcoholism, ruining his reputation in the community.

The court handling the contract claim against the hospital noted that, in Connecticut, 'The elements of a breach of contract action are the formation of an agreement, performance by one party, breach of the agreement by the other party and damages.' Chiulli v. Zola , 97 Conn.App. 699 (2006). Here, the plaintiff alleged that Day Kimball 'entered a contractual relationship with plaintiff to provide care and treatment to him in accordance with its institutional policies and procedures, and with public law and policy.' Although the plaintiff did not allege that the parties entered into a written contract, he did allege that he executed an authorization for release of information in which he 'expressly' identified 'those person[s] to whom defendant Day Kimball was authorized to release his medical records and protected health information.' The court concluded, based on these allegations, that '[a]t a minimum, there appears to be an implied contract between the parties concerning the plaintiff's alcohol treatment program. The plaintiff alleges that Day Kimball breached its contract with the plaintiff by violating its own institutional policies and procedures as reflected in the hospital's use of an authorization, and public law and policy as reflected in HIPAA.' This, the court found, was sufficient to defeat the defendant's motion to dismiss the breach of contract action.

Conclusion

When a patient sues for violation of a state legislated right to privacy, breach of contract or on some other basis, courts will obviously have to scrutinize the individual facts and circumstances of the case to determine whether the violation was sufficiently negligent, reckless, or even knowingly conducted to warrant imposition of punitive damages, or even liability. But a state's strong interest in supporting patient privacy, which could lead to liability and the imposition of punitive damages, highlights the importance of strictly maintaining patient privacy and confidentiality.

To avoid liability, physicians and health care entities must have written policies and procedures in place to deal with privacy issues so that even a well intentioned, but nonetheless inappropriate, disclosure of private health information can be prevented. Attention needs to be given not exclusively to HIPAA, but to all applicable federal, state and local laws, rules and regulations that exist to protect patient privacy.

Gary S. Sastow, Esq. is of counsel at Meiselman, Denlea, Packman, Carton & Eberz P.C., located in White Plains, NY. For nearly 30 years, Meiselman, Denlea has represented physicians and other health care providers in litigation, transactional and regulatory matters. He can be reached at 914-517-5000, or [email protected]. Janice G. Inman is Editor-in-Chief of this newsletter.