November 3, 2011

Eagle Surgical Supply, Inc. v Geico Ins. Co. (2011 NY Slip Op 52142(U))


The court in this case considered the issue of whether identifiable confidential medical records could be admitted into a public civil judicial proceeding without a HIPAA authorization or Privacy Rule exception being demonstrated. This was a no-fault action for first party benefits where the defendant insurer had not obtained a HIPAA authorization from the plaintiff’s assignor, nor did they cite any statutory or regulatory scheme to allow disclosure of identifiable confidential health information. The court found that HIPAA regulations were applicable to the case and the information could not be disclosed in a public civil trial. Therefore, the court imposed the remedy of exclusion of medical testimonial evidence and entered judgment in favor of the plaintiff against the defendant insurer. The decision was based on the fact that the defendant had failed to comply with HIPAA and the Privacy Rule, and that lack of compliance justified the exclusion of evidence and judgment in favor of the plaintiff.

Reported in New York Official Reports at Eagle Surgical Supply, Inc. v Geico Ins. Co. (2011 NY Slip Op 52142(U))

Eagle Surgical Supply, Inc. v Geico Ins. Co. (2011 NY Slip Op 52142(U)) [*1]
Eagle Surgical Supply, Inc. v Geico Ins. Co.
2011 NY Slip Op 52142(U) [33 Misc 3d 1227(A)]
Decided on November 3, 2011
Civil Court Of The City Of New York, Bronx County
Padilla, J.
Published by New York State Law Reporting Bureau pursuant to Judiciary Law § 431.
As corrected in part through March 15, 2012; it will not be published in the printed Official Reports.
Decided on November 3, 2011

Civil Court of the City of New York, Bronx County

Eagle Surgical Supply, Inc., a/a/o Shalina Akter, Plaintiff,


Geico Insurance Company, Defendant.


Plaintiff represented by:

David Streiner, Esq.

Law Offices of Melissa Betancourt PC

Defendant represented by:

John DeOliveira, Esq.

Law Offices of Teresa M. Spina

Jose A. Padilla Jr., J.

The issue raised in this no-fault action for first party benefits concerns the admissibility of identifiable confidential medical records in a public civil judicial proceeding where no HIPAA authorization or Privacy Rule exception has been demonstrated. On 9/19/11, this Court conducted a bench trial in this no-fault action, wherein the parties stipulated to plaintiff’s prima facie case thus shifting the burden of proof to defendant insurer. In response to the Court’s inquiry whether defense counsel had a HIPAA authorization executed by assignor Shalina Akter (“Akter”), defense counsel conceitedly replied that he neither had one nor required one. Defense counsel argued HIPAA was inapplicable to a no-fault action, but did not cite any statutory or regulatory scheme to allow disclosure of Akter’s identifiable confidential health information in a public civil trial.

The Privacy Rule (45 CFR Titles 160 and 164) promulgated by the United States Department of Health and Human Services under authority granted in the Health Insurance Portability and Accountability Act (“HIPAA”) (Pub. L. No. 104-991, 110 US Stat 1936, codified in various titles of the United States Code) prohibits the disclosure of an identifiable patient’s medical record in a public civil judicial proceeding without the patient’s authorization, subject to certain exceptions (45 CFR §164.508; Matter of Miguel M., 17 NY3d 37, rearg den __NY3d __, 2011 NY Slip Op 86319). The Privacy Rule contains exemptions for disclosure of confidential health records where: 1) the information is to be exchanged for billing purposes (45 CFR [*2]§164.506); 2) in a workers’ compensation action (45 CFR §164.512 [1]); or 3) submission of a claim to an arbitration panel (45 CFR §164.506). None of these scenarios are present herein.[FN1] HIPAA regulations can be pre-empted upon a demonstration that state law offers “more stringent” protections (see, HIPAA §264 [c][2]; Privacy Rule 45 CFR §160.203 [b]), but none was shown by counsel, nor found to exist herein by this Court.

The Privacy Rule authorizes disclosure of health information, subject to certain conditions, “in the course of any judicial or administrative proceeding,” in a response to “an order of a court or administrative tribunal” (45 CFR §164.512 [e][1][i]) or “a subpoena, discovery request or other lawful process” (45 CFR § 164.512 [e][1][ii]). The Privacy Rule also contains an exception for subpoenas and the like. This exception is conditioned on the demonstration of “satisfactory assurance,” from the party seeking the information, of compliance with the elements set forth in 45 CFR §165.512 (e)(1)(iii). Due to defendant’s position that HIPAA did not apply to no-fault actions, it intentionally failed to avail itself of the above-noted procedures under the Privacy Rule. The Court notes that plaintiff’s counsel never offered nor acknowledged if its office had ever obtained a HIPAA authorization from its assignor or exchanged one with opposing counsel.

Previously, this Court had repeatedly informed defendant’s law firm, among others, of the need to comply with the HIPAA statute’s authorization prerequisites.[FN2] While HIPAA does not create a private cause of action for those aggrieved (see, 65 CFR §2566), failure to comply with HIPAA and the Privacy Rule can result in imposition of federal civil and criminal penalties (42 USC §1320d-5). These fines and penalties range from as low as $100 per incident/annual maximum of $25,000 for repeat violations for negligent disclosures, to $50,000 per violation with annual maximum of $1.5 million for uncorrected wilful negligent violations; along with fines of up to $250,000 and imprisonment for up to 10 years where unauthorized identifiable health information has been intentionally used for “commercial advantage” (see, American Recovery and Reinvestment Act of 2009, Public L. No. 111-5). The mere “inconvenience” to the insurer or assignee of first party no-fault benefits does not justify disregarding the confidentiality interest protected by HIPAA and the Privacy Rule. Accordingly, this Court imposes the judicially sanctioned remedy of exclusion of proposed medical testimonial evidence (Matter of Miguel M., supra [medical records obtained in violation of HIPAA or the Privacy Rule and the information contained in those records were deemed inadmissible in a proceeding to compel assisted outpatient treatment]), in the absence of a HIPAA authorization or compliance with the Privacy Rule exceptions. [*3]

In light of the stipulation between the parties, the exclusion of any proposed defense medical testimony on the issue of medical necessity and the lack of any other evidence submitted in opposition to plaintiff’s prima facie case, the Clerk of the Court is directed to enter judgment in favor of plaintiff against defendant insurer GEICO Insurance Company in the sum of $1346.76 with statutory interest, cost and fees as of 5/29/08.

This constitutes the Decision and Order of this Court.


Jose A. Padilla, Jr.

Judge of the Civil Court


Footnote 1:“The maxim expression unius est exclusio alterius is applied in the construction of the statutes, so that where a law expressly describes a particular act, thing or person to which it shall apply, an irrefutable inference must be drawn that what it omitted or not included was intended to be omitted or excluded,” (NY Statutes §240). Since HIPAA explicitly exempts pre-authorization in workers compensation and arbitration cases but made no exemption for no-fault actions, the only inescapable conclusion is that Congress did not mean to exclude no-fault benefits related actions from HIPAA or the Privacy Rule.

Footnote 2: Defense counsel’s reliance on the NYS Department Insurance Opinion Letter, dated July 8, 2003, is misplaced as that letter’s analysis and conclusion dealt primarily with HIPAA’s inapplicability in a workers’ compensation setting.