Byrne v. Avery Center for Obstetrics & Gynecology, P.C. ( 2014 )


Menu:
  • ******************************************************
    The ‘‘officially released’’ date that appears near the
    beginning of each opinion is the date the opinion will
    be published in the Connecticut Law Journal or the
    date it was released as a slip opinion. The operative
    date for the beginning of all time periods for filing
    postopinion motions and petitions for certification is
    the ‘‘officially released’’ date appearing in the opinion.
    In no event will any such motions be accepted before
    the ‘‘officially released’’ date.
    All opinions are subject to modification and technical
    correction prior to official publication in the Connecti-
    cut Reports and Connecticut Appellate Reports. In the
    event of discrepancies between the electronic version
    of an opinion and the print version appearing in the
    Connecticut Law Journal and subsequently in the Con-
    necticut Reports or Connecticut Appellate Reports, the
    latest print version is to be considered authoritative.
    The syllabus and procedural history accompanying
    the opinion as it appears on the Commission on Official
    Legal Publications Electronic Bulletin Board Service
    and in the Connecticut Law Journal and bound volumes
    of official reports are copyrighted by the Secretary of
    the State, State of Connecticut, and may not be repro-
    duced and distributed without the express written per-
    mission of the Commission on Official Legal
    Publications, Judicial Branch, State of Connecticut.
    ******************************************************
    EMILY BYRNE v. AVERY CENTER
    FOR OBSTETRICS AND
    GYNECOLOGY, P.C.
    (SC 18904)
    Rogers, C. J., and Norcott, Palmer, Zarella, Eveleigh, McDonald and
    Vertefeuille, Js.*
    Argued March 12, 2013—officially released November 11, 2014
    Bruce L. Elstein, with whom, on the brief, was Henry
    Elstein, for the appellant (plaintiff).
    James F. Biondo, with whom, on the brief, was
    Audrey D. Medd, for the appellee (defendant).
    Opinion
    NORCOTT, J. Congress enacted the Health Insurance
    Portability and Accountability Act of 1996 (HIPAA), 42
    U.S.C. § 1320d et seq., as a comprehensive legislative
    and regulatory scheme to, inter alia, protect the privacy
    of patients’ health information given emerging advances
    in information technology. In this appeal, we determine
    whether HIPAA, which lacks a private right of action
    and preempts ‘‘contrary’’ state laws; 42 U.S.C. § 1320d-
    7 (2006);1 preempts state law claims for negligence and
    negligent infliction of emotional distress against a
    health care provider who is alleged to have improperly
    breached the confidentiality of a patient’s medical
    records in the course of complying with a subpoena.
    The plaintiff, Emily Byrne,2 appeals from the judgment
    of the trial court dismissing counts two and four of the
    operative amended complaint (complaint) filed against
    the defendant, the Avery Center for Obstetrics and
    Gynecology, P.C.3 On appeal, the plaintiff contends that
    the trial court improperly concluded that her state law
    claims for negligence and negligent infliction of emo-
    tional distress were preempted by HIPAA. We conclude
    that, to the extent that Connecticut’s common law pro-
    vides a remedy for a health care provider’s breach of
    its duty of confidentiality in the course of complying
    with a subpoena, HIPAA does not preempt the plaintiff’s
    state common-law causes of action for negligence or
    negligent infliction of emotional distress against the
    health care providers in this case and, further, that
    regulations of the Department of Health and Human
    Services (department) implementing HIPAA may
    inform the applicable standard of care in certain circum-
    stances. Accordingly, we reverse the judgment of the
    trial court.
    The trial court’s memorandum of decision sets forth
    the following undisputed facts and procedural history.
    ‘‘Before July 12, 2005, the defendant provided the plain-
    tiff [with] gynecological and obstetrical care and treat-
    ment. The defendant provided its patients, including
    the plaintiff, with notice of its privacy policy regarding
    protected health information and agreed, based on this
    policy and on law, that it would not disclose the plain-
    tiff’s health information without her authorization.
    ‘‘In May, 2004, the plaintiff began a personal relation-
    ship with Andro Mendoza, which lasted until Septem-
    ber, 2004.4 . . . In October, 2004, she instructed the
    defendant not to release her medical records to Men-
    doza. In March, 2005, she moved from Connecticut to
    Vermont where she presently lives. On May 31, 2005,
    Mendoza filed paternity actions against the plaintiff in
    Connecticut and Vermont. Thereafter, the defendant
    was served with a subpoena requesting its presence
    together with the plaintiff’s medical records at the New
    Haven Regional Children’s [Probate Court] on July 12,
    2005. The defendant did not alert the plaintiff of the
    subpoena, file a motion to quash it or appear in court.
    Rather, the defendant mailed a copy of the plaintiff’s
    medical file to the court around July 12, 2005. In Septem-
    ber, 2005, ‘[Mendoza] informed [the] plaintiff by tele-
    phone that he reviewed [the] plaintiff’s medical file in
    the court file.’ On September 15, 2005, the plaintiff filed
    a motion to seal her medical file, which was granted.
    The plaintiff alleges that she suffered harassment and
    extortion threats from Mendoza since he viewed her
    medical records.’’5 (Footnotes altered.)
    The plaintiff subsequently brought this action against
    the defendant. Specifically, the operative complaint in
    the present case alleges that the defendant: (1)
    breached its contract with her when it violated its pri-
    vacy policy by disclosing her protected health informa-
    tion without authorization; (2) acted negligently by
    failing to use proper and reasonable care in protecting
    her medical file, including disclosing it without authori-
    zation in violation of General Statutes § 52-146o6 and
    the department’s regulations implementing HIPAA;7 (3)
    made a negligent misrepresentation, upon which the
    plaintiff relied to her detriment, that her ‘‘medical file
    and the privacy of her health information would be
    protected in accordance with the law’’; and (4) engaged
    in conduct constituting negligent infliction of emotional
    distress. After discovery, the parties filed cross motions
    for summary judgment.
    With respect to the plaintiff’s negligence based claims
    in counts two and four of the complaint, the trial court
    agreed with the defendant’s contention that ‘‘HIPAA
    preempts ‘any action dealing with confidentiality/pri-
    vacy of medical information,’ ’’ which prompted the
    court to treat the summary judgment motion as one
    seeking dismissal for lack of subject matter jurisdiction.
    In its memorandum of decision, the trial court first
    considered the plaintiff’s negligence claims founded on
    the violations of the regulations implementing HIPAA.
    The court first observed the ‘‘well settled’’ proposition
    that HIPAA does not create a private right of action,
    requiring claims of violations instead to be raised
    through the department’s administrative channels. The
    trial court then relied on Fisher v. Yale University,
    Superior Court, judicial district of New Haven, Complex
    Litigation Docket, Docket No. X10-CV-04-4003207-S
    (April 3, 2006), and Meade v. Orthopedic Associates of
    Windham County, Superior Court, judicial district of
    Windham, Docket No. CV-06-4005043-S (December 27,
    2007),8 and rejected the plaintiff’s claim that she had
    not utilized HIPAA as the basis of her cause of action,
    but rather, relied on it as ‘‘ ‘evidence of the appropriate
    standard of care’ for claims brought under state law,
    namely, negligence.’’9 Emphasizing that the courts can-
    not supply a private right of action that the legislature
    intentionally had omitted, the trial court noted that the
    ‘‘plaintiff has labeled her claims as negligence claims,
    but this does not change their essential nature. They
    are HIPAA claims.’’ The trial court further determined
    that the plaintiff’s statutory negligence claims founded
    on a violation of § 52-146o were similarly preempted
    because the state statute had been superseded by
    HIPAA, and thus the plaintiff’s state statutory claim
    ‘‘amount[ed] to a claim for a HIPAA violation, a claim
    for which there is no private right of action.’’10
    The trial court concluded similarly with respect to
    the plaintiff’s common-law negligence claims, observ-
    ing that, under the regulatory definitions implementing
    HIPAA’s preemption provision; see 42 U.S.C. § 1320d-
    7 (a); 45 C.F.R. § 160.202 (2004);11 to ‘‘the extent that
    common-law negligence permits a private right of
    action for claims that amount to HIPAA violations, it
    is a contrary provision of law and subject to HIPAA’s
    preemption rule. Because it is not more stringent,
    according to the definition of 45 C.F.R. § 160.202, the
    preemption exception does not apply.’’ For the same
    reasons, the trial court dismissed count four of the
    complaint, claiming negligent infliction of emotional
    distress.
    With respect to the remainder of the pending motions,
    the trial court first denied, on the basis of its previous
    preemption determinations, the plaintiff’s motion for
    summary judgment, which had claimed that the defen-
    dant’s conduct in responding to the subpoena violated
    the HIPAA regulations, specifically 45 C.F.R. § 164.512
    (e),12 as a matter of law. The trial court denied, however,
    the defendant’s motion for summary judgment with
    respect to the remaining counts of the complaint,
    namely, count one alleging breach of contract and count
    three alleging negligent misrepresentation, determining
    that genuine issues of material fact existed with respect
    to contract formation through the defendant’s privacy
    policy, and whether the plaintiff had received and relied
    upon that policy. Thus, the trial court denied the defen-
    dant’s motion for summary judgment as to counts one
    and three of the complaint, and dismissed counts two
    and four of the complaint for lack of subject matter
    jurisdiction. This appeal followed. See footnote 3 of
    this opinion.
    On appeal, the plaintiff claims that the trial court
    improperly determined that HIPAA preempted her neg-
    ligence based state law claims. Conceding that there is
    no private right of action under HIPAA, the plaintiff
    asserts that she is not asserting a claim for relief prem-
    ised solely on a violation of HIPAA, but rather, relies
    heavily on Merrell Dow Pharmaceuticals, Inc. v.
    Thompson, 
    478 U.S. 804
    , 
    106 S. Ct. 3229
    , 
    92 L. Ed. 2d 650
    (1986), Acosta v. Byrum, 
    180 N.C. App. 562
    , 
    638 S.E.2d 246
    (2006), and R.K. v. St. Mary’s Medical Cen-
    ter, Inc., 
    229 W. Va. 712
    , 
    735 S.E.2d 715
    (2012), cert.
    denied,     U.S. , 
    133 S. Ct. 1738
    , 
    185 L. Ed. 2d 788
    (2013), in support of the proposition that common-law
    negligence actions, with HIPAA informing the standard
    of care, may complement rather than ‘‘obstruct’’ HIPAA
    for preemption purposes. Citing, inter alia, Mead v.
    Burns, 
    199 Conn. 651
    , 662–63, 
    509 A.2d 11
    (1986), and
    Wendland v. Ridgefield Construction Services, Inc.,
    
    184 Conn. 173
    , 181, 
    439 A.2d 954
    (1981), the plaintiff
    emphasizes that the use of other state law causes of
    action to enforce statutes otherwise lacking private
    rights of action has been upheld by this court in the
    analogous contexts of the Connecticut Unfair Insurance
    Practices Act, General Statutes § 38a-815 et seq., and
    the federal Occupational Safety and Health Act (OSHA),
    29 U.S.C. § 651 et seq., and its state counterpart, General
    Statutes § 31-367 et seq. The plaintiff further argues
    that, under HIPAA and its implementing regulation; see
    42 U.S.C. § 1320d-7 (a) (1); 45 C.F.R. § 160.202; her state
    law claims for relief are not preempted because it is
    not ‘‘contrary to’’ HIPAA to provide for damages under
    state common-law claims for privacy breaches.
    In response, the defendant relies on the long line of
    federal and state cases establishing that there is no
    private right of action, express or implied, under HIPAA.
    See, e.g., O’Donnell v. Blue Cross Blue Shield of Wyo-
    ming, 
    173 F. Supp. 2d 1176
    (D. Wyo. 2001); Fisher v.
    Yale 
    University, supra
    , Superior Court, Docket No. X10-
    CV-04-4003207-S. Observing that ‘‘playing word games
    does not change the underlying theory of liability,’’ the
    defendant relies on Young v. Carran, 
    289 S.W.3d 586
    (Ky. App. 2008), review denied, 2009 Ky. LEXIS 592 (Ky.
    August 19, 2009), and Bonney v. Stephens Memorial
    Hospital, 
    17 A.3d 123
    (Me. 2011), and contends that,
    because there is no private right of action under HIPAA,
    ‘‘a plaintiff cannot use a violation of HIPAA as the stan-
    dard of care for underlying claims, such as negligence.’’
    The defendant further emphasizes that the plaintiff’s
    negligence claim relying on § 52-146o is preempted
    because HIPAA is more stringent than the state statute.
    Finally, the defendant also argues briefly, in what
    appears to be either alternative grounds for affirming
    the judgment of the trial court or matters likely to arise
    on remand, that: (1) there is no private right of action
    under § 52-146o; and (2) it was not obligated, as a matter
    of law, to inform the plaintiff that it had complied with
    a subpoena, and its compliance with the subpoena did
    not violate her privacy rights.13
    We note at the outset that whether Connecticut’s
    common law provides a remedy for a health care provid-
    er’s breach of its duty of confidentiality, including in
    the context of responding to a subpoena, is not an
    issue presented in this appeal. Thus, assuming, without
    deciding, that Connecticut’s common law recognizes
    a negligence cause of action arising from health care
    providers’ breaches of patient privacy in the context of
    complying with subpoenas,14 we agree with the plaintiff
    and conclude that such an action is not preempted by
    HIPAA and, further, that the HIPAA regulations may
    well inform the applicable standard of care in certain
    circumstances.
    I
    PREEMPTION CLAIMS
    The defendant’s claim that HIPAA preemption shifts
    the exclusive venue for the resolution of all disputes
    relating to that statute from the state court to the federal
    administrative forum implicates our subject matter
    jurisdiction. See, e.g., Stokes v. Norwich Taxi, LLC, 
    289 Conn. 465
    , 488 and n.18, 
    958 A.2d 1195
    (2008). As the
    trial court properly noted, the defendant’s summary
    judgment essentially was a ‘‘motion to dismiss [that]
    . . . properly attacks the jurisdiction of the court,
    essentially asserting that the plaintiff cannot as a matter
    of law and fact state a cause of action that should be
    heard by the court. . . . A motion to dismiss tests, inter
    alia, whether, on the face of the record, the court is
    without jurisdiction. . . . [O]ur review of the court’s
    ultimate legal conclusion and resulting [determination]
    of the motion to dismiss will be de novo. . . . In under-
    taking this review, we are mindful of the well estab-
    lished notion that, in determining whether a court has
    subject matter jurisdiction, every presumption favoring
    jurisdiction should be indulged.’’ (Citation omitted;
    internal quotation marks omitted.) Conboy v. State, 
    292 Conn. 642
    , 650, 
    974 A.2d 669
    (2009); see also Practice
    Book § 10-31 (a) (1).
    Whether state causes of action are preempted by
    federal statutes and regulations is a question of law
    over which our review is plenary. See, e.g., Hackett v.
    J.L.G. Properties, LLC, 
    285 Conn. 498
    , 502–503, 
    940 A.2d 769
    (2008). Thus, we note that ‘‘the ways in which
    federal law may [preempt] state law are well established
    and in the first instance turn on congressional intent.
    . . . Congress’ intent to supplant state authority in a
    particular field may be express[ed] in the terms of the
    statute.’’ (Internal quotation marks omitted.) 
    Id., 503; see
    also 
    id., 504 (‘‘The
    question of preemption is one
    of federal law, arising under the supremacy clause of the
    United States constitution. . . . Determining whether
    Congress has exercised its power to preempt state law
    is a question of legislative intent.’’ [Internal quotation
    marks omitted.]).
    Turning to the HIPAA provisions at issue in this
    appeal, we note by way of background that, ‘‘[r]ecogniz-
    ing the importance of protecting the privacy of health
    information in the midst of the rapid evolution of health
    information systems, Congress passed HIPAA in August
    1996. HIPAA’s Administrative Simplification provisions,
    [§§] 261 through 264 of [Public Law 104-191], were
    designed to improve the efficiency and effectiveness of
    the health care system by facilitating the exchange of
    information with respect to financial and administrative
    transactions carried out by health plans, health care
    clearinghouses, and health care providers who transmit
    information in connection with such transactions. . . .
    ‘‘Within the Administrative Simplification section,
    Congress included another provision—[§] 264—outlin-
    ing a two-step process to address the need to afford
    certain protections to the privacy of health information
    maintained under HIPAA. First, [§] 264 (a) directed
    [the department] to submit to Congress within twelve
    months of HIPAA’s enactment ‘detailed recommenda-
    tions on standards with respect to the privacy of individ-
    ually identifiable health information.’ . . . Second, if
    Congress did not enact further legislation pursuant to
    these recommendations within thirty-six months of the
    enactment of HIPAA, [the department] was to promul-
    gate final regulations containing such standards.’’ (Cita-
    tions omitted; footnote omitted.) South Carolina
    Medical Assn. v. Thompson, 
    327 F.3d 346
    , 348 (4th Cir.),
    cert. denied, 
    540 U.S. 981
    , 
    124 S. Ct. 464
    , 
    157 L. Ed. 2d 371
    (2003). Because Congress ultimately failed to pass
    any additional legislation, the department’s final regula-
    tions implementing HIPAA, known collectively as the
    ‘‘Privacy Rule,’’ were ‘‘promulgated in February 2001,’’
    with compliance phased in over the next few years.15
    
    Id., 349. With
    respect to the preemptive effect of HIPAA, 42
    U.S.C. § 1320d-7 (a) (i) provides that: ‘‘Except as pro-
    vided in paragraph (2), a provision or requirement under
    this part, or a standard or implementation specification
    adopted or established under sections 1320d-1 through
    1320d-3 of this title, shall supersede any contrary provi-
    sion of State law, including a provision of State law
    that requires medical or health plan records (including
    billing information) to be maintained or transmitted in
    written rather than electronic form.’’ (Emphasis added.)
    See footnote 1 of this opinion for the complete text
    of 42 U.S.C. § 1320d-7. The department’s regulations,
    namely, 45 C.F.R. § 160.202 (2004) and 45 C.F.R.
    § 160.203, provide additional explication of HIPAA’s
    preemptive effect. Specifically, 45 C.F.R. § 160.203 pro-
    vides as a ‘‘general rule’’ that a ‘‘standard, requirement,
    or implementation specification adopted under this sub-
    chapter that is contrary to a provision of State law
    preempts the provision of State law.’’ (Emphasis
    added.) A state law is ‘‘contrary’’ to HIPAA if ‘‘(1) A
    covered entity would find it impossible to comply with
    both the [s]tate and [f]ederal requirements; or (2) [t]he
    provision of [s]tate law stands as an obstacle to the
    accomplishment and execution of the full purposes and
    objectives of part C of title XI of [HIPPA], [§] 264 of
    [Public Law] 104-191, as applicable.’’ (Emphasis added.)
    45 C.F.R. § 160.202 (2004). The regulations define a
    ‘‘[s]tate law’’ as ‘‘a constitution, statute, regulation, rule,
    common law, or other [s]tate action having the force
    and effect of law.’’ (Emphasis added.) 45 C.F.R.
    § 160.202 (2004).
    As relevant to this appeal, state laws exempted from
    preemption include those that ‘‘[relate] to the privacy of
    individually identifiable health information16 and [are]
    more stringent than a standard, requirement, or imple-
    mentation specification adopted under subpart E of part
    164 of this subchapter.’’17 (Emphasis added; footnote
    added.) 45 C.F.R. § 160.203 (b). A state law is ‘‘[m]ore
    stringent’’ ‘‘in the context of a comparison of a provision
    of [s]tate law and a standard, requirement, or implemen-
    tation specification adopted under subpart E of part
    164 of this subchapter, [if it] meets one or more of the
    following criteria:
    ***
    ‘‘(4) With respect to the form, substance, or the need
    for express legal permission from an individual, who
    is the subject of the individually identifiable health
    information, for use or disclosure of individually identi-
    fiable health information, provides requirements that
    narrow the scope or duration, increase the privacy pro-
    tections afforded (such as by expanding the criteria
    for), or reduce the coercive effect of the circumstances
    surrounding the express legal permission, as applica-
    ble. . . .
    ‘‘(6) With respect to any other matter, provides
    greater privacy protection for the individual who is the
    subject of the individually identifiable health informa-
    tion.’’ 45 C.F.R. § 160.202 (2004); see also footnote 11
    of this opinion.
    This statutory and regulatory background brings us
    to the question in the present appeal, namely, whether
    HIPAA preempts a state law claim sounding in negli-
    gence arising from a health care provider’s alleged
    breach of physician-patient confidentiality in the course
    of complying with a subpoena. It is by now well settled
    that the ‘‘statutory structure of HIPAA . . . precludes
    implication of a private right of action. [Section]
    1320d–6 [of title 42 of the United States Code]18
    expressly provides a method for enforcing its prohibi-
    tion upon use or disclosure of individual’s health infor-
    mation—the punitive imposition of fines and
    imprisonment for violations.’’ (Footnote added.) Uni-
    versity of Colorado Hospital Authority v. Denver Pub-
    lishing Co., 
    340 F. Supp. 2d 1142
    , 1145 (D. Colo. 2004);
    see also, e.g., 42 U.S.C. § 1320d-5 (providing for adminis-
    trative enforcement by department and state attorneys
    general); Dodd v. Jones, 
    623 F.3d 563
    , 569 (8th Cir.
    2010); Acara v. Banks, 
    470 F.3d 569
    , 571 (5th Cir. 2006);
    Rzayeva v. United States, 
    492 F. Supp. 2d 60
    , 83 (D.
    Conn. 2007); O’Donnell v. Blue Cross Blue Shield of
    
    Wyoming, supra
    , 
    173 F. Supp. 2d 1180
    –81.
    Nevertheless, it is similarly well established that,
    ‘‘[o]rdinarily, state causes of action are not [preempted]
    solely because they impose liability over and above that
    authorized by federal law.’’ (Internal quotation marks
    omitted.) English v. General Electric Co., 
    496 U.S. 72
    ,
    89, 
    110 S. Ct. 2270
    , 
    110 L. Ed. 2d 65
    (1990); see also
    
    id., 87–90 (state
    tort claim for intentional infliction of
    emotional distress arising from termination of whis-
    tleblower not preempted by federal legislation intended
    to occupy field of nuclear safety, even with statutes’
    provision of administrative remedy for whistleblower
    violations). As a corollary, ‘‘a complaint alleging a viola-
    tion of a federal statute as an element of a state cause
    of action, when Congress has determined that there
    should be no private, federal cause of action for the
    violation, does not state a claim ‘arising under the [c]on-
    stitution, laws, or treaties of the United States’ ’’ for
    purposes of federal question jurisdiction under 28
    U.S.C. § 1331. Merrell Dow Pharmaceuticals, Inc. v.
    
    Thompson, supra
    , 
    478 U.S. 817
    ; see also Grable & Sons
    Metal Products, Inc. v. Darue Engineering & Mfg., 
    545 U.S. 308
    , 319, 
    125 S. Ct. 2363
    , 
    162 L. Ed. 2d 257
    (2005)
    (‘‘[a] general rule of exercising federal jurisdiction over
    state claims resting on federal mislabeling and other
    statutory violations would thus have heralded a poten-
    tially enormous shift of traditionally state cases into
    federal courts’’).
    Consistent with these principles, the regulatory his-
    tory of the HIPAA demonstrates that neither HIPAA nor
    its implementing regulations were intended to preempt
    tort actions under state law arising out of the unautho-
    rized release of a plaintiff’s medical records. As the
    plaintiff aptly notes, one commenter during the rulem-
    aking process had ‘‘raised the issue of whether a private
    right of action is a greater penalty, since the proposed
    federal rule has no comparable remedy.’’19 Standards
    for Privacy of Individually Identifiable Health Informa-
    tion, 65 Fed. Reg. 82,462, 82,582 (December 28, 2000).
    In its administrative commentary to the final rule as
    promulgated in the Federal Register, the department
    responded to this question by stating, inter alia, that
    ‘‘the fact that a state law allows an individual to file [a
    civil action] to protect privacy does not conflict with
    the HIPAA penalty provisions,’’ namely, fines and
    imprisonment. (Emphasis added.) 
    Id. This agency
    com-
    mentary on final rules in the Federal Register is signifi-
    cant evidence of regulatory intent. See, e.g., Exelon
    Generation Co., LLC v. Local 15, International Broth-
    erhood of Electrical Workers, AFL-CIO, 
    676 F.3d 566
    ,
    573–75 (7th Cir. 2012); Southeast Alaska Conservation
    Council v. United States Army Corps of Engineers, 
    486 F.3d 638
    , 648 (9th Cir. 2007), rev’d on other grounds
    sub nom. Coeur Alaska, Inc. v. Southeast Alaska Con-
    servation Council, 
    557 U.S. 261
    , 
    129 S. Ct. 2458
    , 
    174 L. Ed. 2d 193
    (2009). Indeed, ‘‘[w]here an agency has
    authoritatively interpreted its own rule, courts generally
    defer to that reading unless it is plainly erroneous or
    inconsistent with the regulation.’’ (Internal quotation
    marks omitted.) Exelon Generation Co., LLC v. Local
    15, International Brotherhood of Electrical Workers,
    
    AFL-CIO, supra
    , 570.
    Consistent with this regulatory history, the parties’
    briefs and our independent research disclose a number
    of cases from the federal and sister state courts holding
    that HIPAA, and particularly its implementation
    through the Privacy Rule regulations, does not preempt
    causes of action, when they exist as a matter of state
    common or statutory law, arising from health care pro-
    viders’ breaches of patient confidentiality in a variety
    of contexts; indeed, several have determined that
    HIPAA may inform the relevant standard of care in such
    actions.20 See I.S. v. Washington University, United
    States District Court, Docket No. 4:11CV235SNLJ (E.D.
    Mo. June 14, 2011) (The court rejected the defendant’s
    argument that the ‘‘negligence per se’’ count of the
    plaintiff’s complaint, premised on HIPAA violations, ‘‘in
    reality is a claim for violation of HIPAA, which is imper-
    missible under federal law,’’ but remanding claim to
    state court because it ‘‘does not raise any compelling
    federal interest nor is a substantial federal question
    presented. Although HIPAA is clearly implicated in the
    claim for negligence per se, said claim fall[s] within
    that broad class of state law claims based on federal
    regulations in the state court . . . .’’ [Internal quotation
    marks omitted.]); Harmon v. Maury County, United
    States District Court, Docket No. 1:05CV0026 (M.D.
    Tenn. August 31, 2005) (concluding that plaintiffs’ negli-
    gence per se claims founded on violation of HIPAA
    privacy regulation were not preempted because
    ‘‘HIPAA’s provisions do not completely preempt state
    law and expressly preserve state laws that are not incon-
    sistent with its terms’’ and ‘‘there is no private remedy
    under federal law and the critical interest is the privacy
    interests of the [p]laintiffs’’); Fanean v. Rite Aid Corp.
    of Delaware, Inc., 
    984 A.2d 812
    , 823 (Del. Super. 2009)
    (concluding that claim of negligence per se could not
    be premised on HIPAA violation, but following Toll
    Bros., Inc. v. Considine, 
    706 A.2d 493
    [Del. 1998], hold-
    ing ‘‘that a common law negligence claim can be predi-
    cated upon OSHA requirements,’’ in concluding that
    common-law negligence claim could utilize HIPAA as
    ‘‘guidepost for determining the standard of care’’);
    Young v. 
    Carran, supra
    , 
    289 S.W.3d 588
    –89 (rejecting
    plaintiff’s attempt to use HIPAA as foundation for dam-
    ages claim under state ‘‘negligence per se’’ statute, but
    observing that state case law permits use of federal
    statutes otherwise to inform standard of care in com-
    mon-law negligence action); Bonney v. Stephens Memo-
    rial 
    Hospital, supra
    , 
    17 A.3d 128
    (‘‘[a]lthough . . .
    HIPAA standards, like state laws and professional codes
    of conduct, may be admissible to establish the standard
    of care associated with a state tort claim, [HIPAA] itself
    does not authorize a private action’’); Yath v. Fairview
    Clinics, N.P., 
    767 N.W.2d 34
    , 49–50 (Minn. App. 2009)
    (concluding that state statutory cause of action for
    improper disclosure of medical records was not pre-
    empted by HIPAA because ‘‘[a]lthough the penalties
    under the two laws differ, compliance with [the Minne-
    sota statute] does not exclude compliance with HIPAA,’’
    and ‘‘[r]ather than creating an ‘obstacle’ to HIPAA, [the
    Minnesota statute] supports at least one of HIPAA’s
    goals by establishing another disincentive to wrongfully
    disclose a patient’s health care record’’); Acosta v.
    
    Byrum, supra
    , 
    180 N.C. App. 571
    –73 (The court con-
    cluded that the trial court improperly dismissed the
    negligent infliction of emotional distress case because
    the allegation that, when the psychiatrist ‘‘provided his
    medical access code . . . [he] violated the rules and
    regulations established by HIPAA . . . does not state
    a cause of action under HIPAA. Rather, [the] plaintiff
    cites to HIPAA as evidence of the appropriate standard
    of care, a necessary element of negligence.’’); Sorensen
    v. Barbuto, 
    143 P.3d 295
    , 299 n.2 (Utah App. 2006) (The
    court noted that, in concluding that the trial court
    improperly dismissed the plaintiff’s claim for breach of
    professional duties, that the defendant physician ‘‘con-
    tends that [the plaintiff] is not entitled to a private right
    of action for breach of professional standards,’’ but that
    the plaintiff ‘‘does not contend in his brief, however,
    that a private right of action exists. Rather, [the plaintiff]
    asserts that the professional standards contribute to the
    proper standard of care, citing [HIPAA], the American
    Medical Association’s Principles of Medical Ethics, and
    the Hippocratic Oath.’’); R.K. v. St. Mary’s Medical Cen-
    ter, 
    Inc., supra
    , 
    229 W. Va. 719
    –21 (concluding that
    state law claims for, inter alia, negligence, outrageous
    conduct, and invasion of privacy arising from defendant
    hospital staff’s disclosure of plaintiff’s psychiatric treat-
    ment records to his wife’s divorce attorney, were not
    preempted by HIPAA and that goals of common-law
    remedies and HIPAA ‘‘are similar’’ in that ‘‘both protect
    the privacy of an individual’s health care information’’);
    but cf. Espinoza v. Gold Cross Services, Inc., 
    234 P.3d 156
    , 158–59 (Utah App. 2010) (contrasting similar
    actions brought under California’s unfair competition
    statute and declining to consider HIPAA copy fee sched-
    ules in concluding that plaintiff’s common-law unjust
    enrichment claim arising from defendant’s allegedly
    excessive copying fees failed because ‘‘[w]e have no
    basis in state or federal law to enforce federal regula-
    tions promulgated under HIPAA, either directly or as
    a component of a state cause of action’’).21
    On the basis of the foregoing authorities, we conclude
    that, if Connecticut’s common law recognizes claims
    arising from a health care provider’s alleged breach of
    its duty of confidentiality in the course of complying
    with a subpoena, HIPAA and its implementing regula-
    tions do not preempt such claims. We further conclude
    that, to the extent it has become the common practice
    for Connecticut health care providers to follow the pro-
    cedures required under HIPAA in rendering services to
    their patients, HIPAA and its implementing regulations
    may be utilized to inform the standard of care applicable
    to such claims arising from allegations of negligence
    in the disclosure of patients’ medical records pursuant
    to a subpoena.22 The availability of such private rights
    of action in state courts, to the extent that they exist
    as a matter of state law, do not preclude, conflict with,
    or complicate health care providers’ compliance with
    HIPAA. On the contrary, negligence claims in state
    courts support ‘‘at least one of HIPAA’s goals by estab-
    lishing another disincentive to wrongfully disclose a
    patient’s health care record.’’ Yath v. Fairview Clinics,
    
    N.P., supra
    , 
    767 N.W.2d 50
    . Accordingly, we conclude
    that the trial court improperly dismissed counts two
    and four of the plaintiff’s complaint, sounding in negli-
    gence and negligent infliction of emotional distress.
    II
    OTHER CLAIMS
    Beyond the preemption issue, the parties raise two
    other matters that require attention because they may
    provide us with an opportunity to address issues that
    are likely to arise on remand or potentially provide an
    alternative basis for affirming the judgment of the trial
    court, at least in part. See, e.g., Total Recycling Services
    of Connecticut, Inc. v. Connecticut Oil Recycling Ser-
    vices, LLC, 
    308 Conn. 312
    , 325, 
    63 A.3d 896
    (2013).
    Specifically, we address: (1) the parties’ request that
    we determine whether the defendant was negligent as
    a matter of law by not informing the plaintiff of the
    subpoena and by mailing the plaintiff’s medical records
    into court; and (2) the defendant’s argument that it is
    entitled to summary judgment on the plaintiff’s state
    statutory claims because § 52-146o does not provide a
    private right of action.
    A
    We first note that the plaintiff asks us, as a matter
    of judicial economy in the event of a remand, to deter-
    mine, as a matter of law, whether the defendant’s act
    of mailing the medical records into court in response
    to the subpoena complied with General Statutes § 52-
    143 and the federal regulatory provisions under HIPAA,
    namely, 45 C.F.R. § 164.512 (e) (1) (ii) and (iii), with
    respect to notifying the plaintiff or seeking a qualified
    protective order. See footnote 12 of this opinion. In
    response, the defendant, relying on the deposition testi-
    mony of its HIPAA consultant, contends that its act of
    mailing the records to the Probate Court complied with
    Connecticut and federal law, as its staff complied with
    the directions of the attorney who had issued the sub-
    poena and its privacy policy had unequivocally
    informed the plaintiff that it would use or disclose
    health information in response to a subpoena without
    patient authorization or the opportunity to object. The
    defendant posits that the true responsibility for the
    breach of the plaintiff’s privacy lies with the members
    of the Probate Court staff who did not seal the records
    upon receipt pending a court order making them avail-
    able to counsel.
    Given the apparently undeveloped factual record at
    this point, and the fact that the plaintiff’s breach of
    contract and negligent misrepresentation claims remain
    pending, requiring further proceedings before the trial
    court; see footnote 3 of this opinion; we decline to
    address this claim further, other than to note that state
    court pretrial practices must be HIPAA compliant; see,
    e.g., Law v. Zuckerman, 
    307 F. Supp. 2d 705
    , 710–11
    (D. Md. 2004); Arons v. Jutkowitz, 
    9 N.Y.3d 393
    , 415,
    
    880 N.E.2d 831
    , 
    850 N.Y.S.2d 345
    (2007); a requirement
    that extends to responses to subpoenas. See State v.
    La Cava, Superior Court, judicial district of Danbury,
    Docket No. CR-06-0128258-S (May 17, 2007) (
    43 Conn. L
    . Rptr. 417, 418) (The trial court granted the hospital’s
    motion to quash the subpoena of the hospital records
    requested pursuant to General Statutes § 4-104 because
    ‘‘delivery of the hospital record to the clerk of court
    authorized by § 4-104 constitutes a transfer of protected
    health information to an outside entity. Yet, under 45
    C.F.R. § 164.512 [e] [1] [ii], a hospital cannot transfer
    protected health information to an outside entity with-
    out receiving the satisfactory assurances set forth in
    45 C.F.R. § 164.512 [e] [1] [ii] [A] or [B], or complying
    with the requirements of 45 C.F.R. § 164.512 [e] [1] [vi].
    Hence, a covered entity would find it impossible to
    comply with § 4-104 without violating 45 C.F.R.
    § 164.512 [e].’’).
    B
    We next turn to the defendant’s argument, founded
    on the Superior Court’s decision in Meade v. Orthopedic
    Associates of Windham 
    County, supra
    , Superior Court,
    Docket No. CV-06-4005043-S, that it is entitled to sum-
    mary judgment on the plaintiff’s state law statutory
    claims under § 52-146o because that statute does not
    provide a private right of action. The plaintiff does not
    contend otherwise in her reply brief. Indeed, her argu-
    ments on other points therein suggest that her claims
    in this case are limited to violations of the state common
    law. We decline to reach the defendant’s statutory argu-
    ment because we do not read the plaintiff’s complaint
    as asserting a statutory right of action under § 52-146o.
    Accordingly, we take no position on whether § 52-146o
    provides a statutory right of action.
    ‘‘The interpretation of pleadings is always a question
    of law for the court . . . . Our review of the trial
    court’s interpretation of the pleadings therefore is ple-
    nary. . . . Furthermore, we long have eschewed the
    notion that pleadings should be read in a hypertechnical
    manner. Rather, [t]he modern trend, which is followed
    in Connecticut, is to construe pleadings broadly and
    realistically, rather than narrowly and technically. . . .
    [T]he complaint must be read in its entirety in such a
    way as to give effect to the pleading with reference to
    the general theory upon which it proceeded, and do
    substantial justice between the parties. . . . Our read-
    ing of pleadings in a manner that advances substantial
    justice means that a pleading must be construed reason-
    ably, to contain all that it fairly means, but carries with
    it the related proposition that it must not be contorted
    in such a way so as to strain the bounds of rational
    comprehension. . . . Although essential allegations
    may not be supplied by conjecture or remote implica-
    tion . . . the complaint must be read in its entirety in
    such a way as to give effect to the pleading with refer-
    ence to the general theory upon which it proceeded,
    and do substantial justice between the parties. . . . As
    long as the pleadings provide sufficient notice of the
    facts claimed and the issues to be tried and do not
    surprise or prejudice the opposing party, we will not
    conclude that the complaint is insufficient to allow
    recovery.’’ (Citations omitted; internal quotation marks
    omitted.) Grenier v. Commissioner of Transportation,
    
    306 Conn. 523
    , 536–37, 
    51 A.3d 367
    (2012).
    The operative complaint asserts four counts, each
    captioned with a common-law cause of action, namely,
    (1) breach of contract, (2) negligence, (3) negligent
    misrepresentation, and (4) negligent infliction of emo-
    tional distress. The alleged violation of § 52-146o is men-
    tioned once as a specification of negligence in count
    two, negligence, which is incorporated by reference
    into count four, stating that ‘‘the defendant was negli-
    gent and [careless] in one or more of the following ways
    . . . . It disclosed the medical file, without authority,
    in violation of . . . § 52-146o.’’ In context, with all of
    the captioned causes of action arising from the common
    law, we read this single mention of § 52-146o as provid-
    ing one of several bases for establishing the standard
    of care applicable to the plaintiff’s common-law negli-
    gence claims and not as asserting an independent cause
    of action. See footnote 22 of this opinion and accompa-
    nying text. Thus, we conclude that the plaintiff’s com-
    plaint does not plead a statutory cause of action arising
    under § 52-146o, and decline to decide whether that
    statute provides such a private right of action.
    The judgment is reversed and the case is remanded to
    the trial court for further proceedings according to law.
    In this opinion PALMER, EVELEIGH, McDONALD
    and VERTEFEUILLE, Js., concurred.
    * The listing of justices reflects their seniority status on this court as of
    the date of oral argument.
    This case was originally scheduled to be argued before a panel of this court
    consisting of Chief Justice Rogers and Justices Norcott, Palmer, Zarella,
    Eveleigh, McDonald and Vertefeuille. Although Justice Palmer was not pre-
    sent when the case was argued before the court, he read the record and
    briefs and listened to a recording of oral argument prior to participating in
    this decision.
    1
    Title 42 of the United States Code, § 1320d-7 (a), provides in relevant
    part: ‘‘(1) . . . Except as provided in paragraph (2), a provision or require-
    ment under this part, or a standard or implementation specification adopted
    or established under sections 1320d-1 through 1320d-3 of this title, shall
    supersede any contrary provision of State law, including a provision of
    State law that requires medical or health plan records (including billing
    information) to be maintained or transmitted in written rather than elec-
    tronic form.
    ‘‘(2) Exceptions
    ‘‘A provision or requirement under this part, or a standard or implementa-
    tion specification adopted or established under sections 1320d-1 through
    1320d-3 of this title, shall not supersede a contrary provision of State law,
    if the provision of State law—
    ‘‘(A) is a provision the Secretary determines—
    ‘‘(i) is necessary—
    ‘‘(I) to prevent fraud and abuse;
    ‘‘(II) to ensure appropriate State regulation of insurance and health plans;
    ‘‘(III) for State reporting on health care delivery or costs; or
    ‘‘(IV) for other purposes; or
    ‘‘(ii) addresses controlled substances; or
    ‘‘(B) subject to section 264 (c) (2) of the Health Insurance Portability and
    Accountability Act of 1996, relates to the privacy of individually identifiable
    health information. . . .’’
    2
    We note that the trial court subsequently granted the plaintiff’s motion
    to add Douglas Wolinsky, the bankruptcy trustee appointed by the United
    States Bankruptcy Court for the District of Vermont, as a party plaintiff.
    See General Statutes § 52-108; Practice Book § 9-18. For the sake of conve-
    nience, all references to the plaintiff in this opinion are to Byrne.
    3
    Ordinarily, the trial court’s dismissal of counts two and four of the
    operative complaint would not constitute an appealable final judgment. See
    Kelly v. New Haven, 
    275 Conn. 580
    , 594, 
    881 A.2d 978
    (2005). We note,
    however, that the plaintiff obtained permission to file the present appeal
    with the Appellate Court pursuant to Practice Book § 61-4. This appeal was
    subsequently transferred to this court pursuant to General Statutes § 51-
    199 (c) and Practice Book § 65-1.
    We also note that the defendant filed a cross appeal to the Appellate
    Court from the trial court’s denial of its motion for summary judgment with
    respect to counts one and three of the complaint. After a hearing, the
    Appellate Court dismissed the defendant’s cross appeal for lack of a final
    judgment, noting that the defendant had not obtained permission pursuant
    to Practice Book § 61-4 to appeal from that aspect of the trial court’s decision.
    4
    We note that the operative complaint in the present case alleges that
    the plaintiff discovered she was pregnant around the same time she termi-
    nated her relationship with Mendoza.
    5
    We also note that, according to the operative complaint, Mendoza has
    utilized the information contained within these records to file numerous
    civil actions, including paternity and visitation actions, against the plaintiff,
    her attorney, her father and her father’s employer, and to threaten her with
    criminal charges.
    6
    General Statutes § 52-146o provides: ‘‘(a) Except as provided in sections
    52-146c to 52-146j, inclusive, and subsection (b) of this section, in any civil
    action or any proceeding preliminary thereto or in any probate, legislative
    or administrative proceeding, a physician or surgeon, as defined in subsec-
    tion (b) of section 20-7b, shall not disclose (1) any communication made
    to him by, or any information obtained by him from, a patient or the conserva-
    tor or guardian of a patient with respect to any actual or supposed physical
    or mental disease or disorder, or (2) any information obtained by personal
    examination of a patient, unless the patient or his authorized representative
    explicitly consents to such disclosure.
    ‘‘(b) Consent of the patient or his authorized representative shall not be
    required for the disclosure of such communication or information (1) pursu-
    ant to any statute or regulation of any state agency or the rules of court,
    (2) by a physician, surgeon or other licensed health care provider against
    whom a claim has been made, or there is a reasonable belief will be made,
    in such action or proceeding, to his attorney or professional liability insurer
    or such insurer’s agent for use in the defense of such action or proceeding,
    (3) to the Commissioner of Public Health for records of a patient of a
    physician, surgeon or health care provider in connection with an investiga-
    tion of a complaint, if such records are related to the complaint, or (4) if
    child abuse, abuse of an elderly individual, abuse of an individual who is
    physically disabled or incompetent or abuse of an individual with intellectual
    disability is known or in good faith suspected.’’
    We note that the legislature made certain technical changes to § 52-146o
    subsequent to the events underlying the present appeal. See Public Acts
    2011, No. 11-129, § 20. For purposes of convenience and clarity, however,
    all references to § 52-146o within this opinion are to the current revision
    of the statute.
    7
    Specifically, the plaintiff alleged, in paragraphs 25 (f), (g), (h), (i) and
    (j) of the complaint, violations of the following regulations of the department:
    (1) 45 C.F.R. § 164.512 (e) (1) (ii) by ‘‘failing to seek itself or obtain ‘satisfac-
    tory assurances’ from the person seeking the information in that the person
    seeking the information failed to provide to the defendant proof that reason-
    able efforts were made to either . . . [e]nsure that the plaintiff was provided
    sufficient notice of the request, or . . . [s]eek a qualified protective order’’;
    (2) 45 C.F.R. § 164.512 (e) (1) (iii) ‘‘in failing to determine that the plaintiff
    had not received satisfactory notice of the request for her records from the
    face of the subpoena’’; (3) 45 C.F.R. §§ 164.508 (b) (2) and 164.508c (1)-(3)
    ‘‘in that the subpoena was not a valid authorization to produce the records’’;
    (4) 45 C.F.R. § 164.522 ‘‘in failing to follow the plaintiff’s request for additional
    privacy protection of her protected health information from production to
    the party requesting it’’; and (5) 45 C.F.R. § 164.502 ‘‘in failing to determine
    and produce only the minimum necessary data requested.’’
    8
    In Fisher, a judge of the Superior Court concluded that HIPAA’s omission
    of a private right of action preempts, under 42 U.S.C. § 1320d-7 (a) (2) (B),
    state law causes of action arising from health care providers’ breaches of
    patient privacy. Specifically, the court concluded that a plaintiff’s claim,
    which was brought under the Connecticut Unfair Trade Practices Act
    (CUTPA), General Statutes § 42-110a et seq., challenging a hospital’s ‘‘fail[-
    ure] to comply with HIPAA’s privacy requirements’’ was preempted because
    ‘‘[i]f Congress had intended to allow for a private action as part of this
    program, it could have included it in the legislation or authorized the Secre-
    tary [of the department] to provide for the same by rulemaking,’’ and ‘‘[t]here-
    fore, to the extent CUTPA permits a private right of action for a HIPAA
    violation, CUTPA constitutes a ‘contrary’ provision of state law and falls
    within the ambit of the HIPAA general preemption rule.’’ Fisher v. Yale
    
    University, supra
    , Superior Court, Docket No. X10-CV-04-4003207-S. In so
    concluding, the court rejected the plaintiff’s argument that, ‘‘since a violation
    of HIPAA is a violation of a clearly delineated public policy, it is actionable
    under CUTPA, and that the ability of a plaintiff to bring the action will result
    in greater privacy protection to her as a subject of individually identifiable
    health information.’’ Id.; see also Salatto v. Hospital of Saint Raphael,
    Superior Court, judicial district of New Haven, Docket No. CV-09-5032170-
    S (October 6, 2010) (The trial court granted a motion for summary judgment
    as to the plaintiff’s ‘‘negligence per se claims [that] assert that the defendant
    violated his right to confidentiality, pursuant to HIPAA. It is well settled
    that HIPAA does not create a private right of action.’’); Meade v. Orthopedic
    Associates of Windham 
    County, supra
    , Superior Court, Docket No. CV-06-
    4005043-S (‘‘[t]his court concurs with the reasoning in Fisher and, therefore,
    finds that the plaintiff’s CUTPA claim is preempted by HIPAA and does not
    provide a private right of action’’).
    9
    The trial court further disagreed with the plaintiff’s argument analogizing
    HIPAA to the federal Occupational Safety and Health Act, 29 U.S.C. §651
    et seq., whose regulations ‘‘may be used as evidence of the standard of care
    in a negligence action against an employer’’; Wagner v. Clark Equipment
    Co., 
    243 Conn. 168
    , 188, 
    700 A.2d 38
    (1997); observing that ‘‘[n]o such history
    exists for HIPAA regulations.’’
    10
    Specifically, the trial court noted the ‘‘stark difference’’ between § 52-
    146o and the more comprehensive safeguards for the disclosure of medical
    records in administrative and judicial proceedings set forth by 45 C.F.R.
    § 164.512 (e); see footnote 12 of this opinion; and observed that, ‘‘[t]o the
    extent that § 52-146o permits disclosure of protected medical records pursu-
    ant to a subpoena without the safeguards required by HIPAA, it is both
    contrary to and less stringent than HIPAA and therefore superseded by
    HIPAA.’’
    11
    Title 45 of the Code of Federal Regulations (2004), § 160.202, implements
    42 U.S.C. § 1320d-7, and provides: ‘‘For purposes of this subpart, the follow-
    ing terms have the following meanings:
    ‘‘Contrary, when used to compare a provision of [s]tate law to a standard,
    requirement, or implementation specification adopted under this subchap-
    ter, means:
    ‘‘(1) A covered entity would find it impossible to comply with both the
    [s]tate and [f]ederal requirements; or
    ‘‘(2) The provision of [s]tate law stands as an obstacle to the accomplish-
    ment and execution of the full purposes and objectives of part C of title XI
    of the Act, section 264 of [Public Law] 104–191, as applicable.
    ‘‘More stringent means, in the context of a comparison of a provision of
    [s]tate law and a standard, requirement, or implementation specification
    adopted under subpart E of part 164 of this subchapter, a [s]tate law that
    meets one or more of the following criteria:
    ‘‘(1) With respect to a use or disclosure, the law prohibits or restricts a
    use or disclosure in circumstances under which such use or disclosure
    otherwise would be permitted under this subchapter, except if the disclo-
    sure is:
    ‘‘(i) Required by the Secretary in connection with determining whether
    a covered entity is in compliance with this subchapter; or
    ‘‘(ii) To the individual who is the subject of the individually identifiable
    health information.
    ‘‘(2) With respect to the rights of an individual, who is the subject of the
    individually identifiable health information, regarding access to or amend-
    ment of individually identifiable health information, permits greater rights
    of access or amendment, as applicable.
    ‘‘(3) With respect to information to be provided to an individual who is
    the subject of the individually identifiable health information about a use, a
    disclosure, rights, and remedies, provides the greater amount of information.
    ‘‘(4) With respect to the form, substance, or the need for express legal
    permission from an individual, who is the subject of the individually identifi-
    able health information, for use or disclosure of individually identifiable
    health information, provides requirements that narrow the scope or duration,
    increase the privacy protections afforded (such as by expanding the criteria
    for), or reduce the coercive effect of the circumstances surrounding the
    express legal permission, as applicable.
    ‘‘(5) With respect to recordkeeping or requirements relating to accounting
    of disclosures, provides for the retention or reporting of more detailed
    information or for a longer duration.
    ‘‘(6) With respect to any other matter, provides greater privacy protection
    for the individual who is the subject of the individually identifiable health
    information.
    ‘‘Relates to the privacy of individually identifiable health information
    means, with respect to a [s]tate law, that the [s]tate law has the specific
    purpose of protecting the privacy of health information or affects the privacy
    of health information in a direct, clear, and substantial way.
    ‘‘State law means a constitution, statute, regulation, rule, common law,
    or other [s]tate action having the force and effect of law.’’ (Emphasis in
    original.)
    12
    Title 45 of the Code of Federal Regulations, § 164.512, provides in rele-
    vant part: ‘‘A covered entity may use or disclose protected health information
    without the written authorization of the individual, as described in § 164.508,
    or the opportunity for the individual to agree or object as described in
    § 164.510, in the situations covered by this section, subject to the applicable
    requirements of this section. When the covered entity is required by this
    section to inform the individual of, or when the individual may agree to, a
    use or disclosure permitted by this section, the covered entity’s information
    and the individual’s agreement may be given orally.
    ‘‘(a) Standard: Uses and disclosures required by law. (1) A covered entity
    may use or disclose protected health information to the extent that such
    use or disclosure is required by law and the use or disclosure complies with
    and is limited to the relevant requirements of such law.
    ‘‘(2) A covered entity must meet the requirements described in paragraph
    (c), (e), or (f) of this section for uses or disclosures required by law.
    ***
    ‘‘(e) Standard: Disclosures for judicial and administrative proceed-
    ings.—(1) Permitted disclosures. A covered entity may disclose protected
    health information in the course of any judicial or administrative proceeding:
    ‘‘(i) In response to an order of a court or administrative tribunal, provided
    that the covered entity discloses only the protected health information
    expressly authorized by such order; or
    ‘‘(ii) In response to a subpoena, discovery request, or other lawful process,
    that is not accompanied by an order of a court or administrative tribunal, if:
    ‘‘(A) The covered entity receives satisfactory assurance, as described in
    paragraph (e) (1) (iii) of this section, from the party seeking the information
    that reasonable efforts have been made by such party to ensure that the
    individual who is the subject of the protected health information that has
    been requested has been given notice of the request; or
    ‘‘(B) The covered entity receives satisfactory assurance, as described in
    paragraph (e) (1) (iv) of this section, from the party seeking the information
    that reasonable efforts have been made by such party to secure a qualified
    protective order that meets the requirements of paragraph (e) (1) (v) of
    this section.
    ‘‘(iii) For the purposes of paragraph (e) (1) (ii) (A) of this section, a covered
    entity receives satisfactory assurances from a party seeking protected health
    information if the covered entity receives from such party a written state-
    ment and accompanying documentation demonstrating that:
    ‘‘(A) The party requesting such information has made a good faith attempt
    to provide written notice to the individual (or, if the individual’s location
    is unknown, to mail a notice to the individual’s last known address);
    ‘‘(B) The notice included sufficient information about the litigation or
    proceeding in which the protected health information is requested to permit
    the individual to raise an objection to the court or administrative tribunal; and
    ‘‘(C) The time for the individual to raise objections to the court or adminis-
    trative tribunal has elapsed, and:
    ‘‘(1) No objections were filed; or
    ‘‘(2) All objections filed by the individual have been resolved by the court
    or the administrative tribunal and the disclosures being sought are consistent
    with such resolution.
    ‘‘(iv) For the purposes of paragraph (e) (1) (ii) (B) of this section, a covered
    entity receives satisfactory assurances from a party seeking protected health
    information, if the covered entity receives from such party a written state-
    ment and accompanying documentation demonstrating that:
    ‘‘(A) The parties to the dispute giving rise to the request for information
    have agreed to a qualified protective order and have presented it to the
    court or administrative tribunal with jurisdiction over the dispute; or
    ‘‘(B) The party seeking the protected health information has requested a
    qualified protective order from such court or administrative tribunal.
    ‘‘(v) For purposes of paragraph (e) (1) of this section, a qualified protective
    order means, with respect to protected health information requested under
    paragraph (e) (1) (ii) of this section, an order of a court or of an administra-
    tive tribunal or a stipulation by the parties to the litigation or administrative
    proceeding that:
    ‘‘(A) Prohibits the parties from using or disclosing the protected health
    information for any purpose other than the litigation or proceeding for which
    such information was requested; and
    ‘‘(B) Requires the return to the covered entity or destruction of the pro-
    tected health information (including all copies made) at the end of the
    litigation or proceeding.
    ‘‘(vi) Notwithstanding paragraph (e) (1) (ii) of this section, a covered entity
    may disclose protected health information in response to lawful process
    described in paragraph (e) (1) (ii) of this section without receiving satisfac-
    tory assurance under paragraph (e) (1) (ii) (A) or (B) of this section, if the
    covered entity makes reasonable efforts to provide notice to the individual
    sufficient to meet the requirements of paragraph (e) (1) (iii) of this section
    or to seek a qualified protective order sufficient to meet the requirements
    of paragraph (e) (1) (iv) of this section.
    ‘‘(2) Other uses and disclosures under this section. The provisions of
    this paragraph do not supersede other provisions of this section that other-
    wise permit or restrict uses or disclosures of protected health information.
    . . .’’ (Emphasis in original.)
    13
    Similarly, the plaintiff also asks us, as a matter of judicial economy in
    the event of a remand, to determine, as a matter of law, whether the defen-
    dant’s act of mailing the medical records into court in response to the
    subpoena complied with General Statutes § 52-143 and the federal regulatory
    provisions under HIPAA, namely, 45 C.F.R. § 164.512 (e) (1) (ii) and (iii),
    with respect to notifying the plaintiff or seeking a qualified protective order.
    See footnote 12 of this opinion. We address this claim in part II A of this
    opinion.
    14
    For additional background discussion of health care providers’ common-
    law duty to protect patient confidences, and the related cause of action,
    compare, for example, Biddle v. Warren General Hospital, 
    86 Ohio St. 3d 395
    , 
    715 N.E.2d 518
    (1999), with Quarles v. Sutherland, 
    215 Tenn. 651
    , 
    389 S.W.2d 249
    (1965).
    15
    ‘‘The Privacy Rule forbids an organization subject to its requirements (a
    ‘covered entity’) from using or disclosing an individual’s health information
    (‘protected health information’) except as mandated or permitted by its
    provisions . . . . ‘Covered entities’ generally include health plans, health
    care clearinghouses and health care providers such as physicians, hospitals
    and HMOs . . . . ‘Protected health information’ encompasses any individu-
    ally identifiable health information held or transmitted by a covered entity
    in any form or medium, whether electronic, paper or oral . . . .’’ (Citations
    omitted.) Arons v. Jutkowitz, 
    9 N.Y.3d 393
    , 412–13, 
    880 N.E.2d 831
    , 
    850 N.Y.S.2d 345
    (2007); 
    id. (discussing, inter
    alia, 45 C.F.R. §§ 164.502 [a] [1],
    164.512 [e]).
    In the litigation context specifically, as reflected in 45 C.F.R. § 164.512
    (e) (1) (i) and (ii), the ‘‘Privacy Rule also permits covered entities to use
    or disclose protected health information without authorization pursuant to a
    court or administrative order so long as only the protected health information
    covered by the order is disclosed . . . or in response to a subpoena, discov-
    ery request or other lawful process if the entity has received satisfactory
    assurances that the party seeking the disclosure has made reasonable efforts
    to ensure that the individual has been given notice of the request, or has
    made reasonable efforts to secure a qualified protective order from a court
    or administrative tribunal . . . .’’ (Citations omitted.) 
    Id., 414; see
    footnote
    12 of this opinion for the text of 45 C.F.R. § 164.512 (e).
    16
    See footnote 11 of this opinion.
    17
    Also exempted from preemption are: (1) provisions of state law
    approved by the secretary of the department subject to certain conditions;
    see 45 C.F.R. § 160.203 (a); (2) a ‘‘provision of [s]tate law, including [s]tate
    procedures established under such law, as applicable, [which] provides for
    the reporting of disease or injury, child abuse, birth, or death, or for the
    conduct of public health surveillance, investigation, or intervention’’; 45
    C.F.R. § 160.203 (c); and (3) a ‘‘provision of [s]tate law [that] requires a
    health plan to report, or to provide access to, information for the purpose
    of management audits, financial audits, program monitoring and evaluation,
    or the licensure or certification of facilities or individuals.’’ 45 C.F.R.
    § 160.203 (d).
    18
    Title 42 of the United States Code, § 1320d-6 provides: ‘‘(a) Offense
    ‘‘A person who knowingly and in violation of this part—
    ‘‘(1) uses or causes to be used a unique health identifier;
    ‘‘(2) obtains individually identifiable health information relating to an
    individual; or
    ‘‘(3) discloses individually identifiable health information to another
    person,
    ‘‘shall be punished as provided in subsection (b) of this section. For
    purposes of the previous sentence, a person (including an employee or other
    individual) shall be considered to have obtained or disclosed individually
    identifiable health information in violation of this part if the information is
    maintained by a covered entity (as defined in the HIPAA privacy regulation
    described in section 1320d-9 (b) (3) of this title) and the individual obtained
    or disclosed such information without authorization.
    ‘‘(b) Penalties
    ‘‘A person described in subsection (a) of this section shall—
    ‘‘(1) be fined not more than $50,000, imprisoned not more than [one] year,
    or both;
    ‘‘(2) if the offense is committed under false pretenses, be fined not more
    than $100,000, imprisoned not more than [five] years, or both; and
    ‘‘(3) if the offense is committed with intent to sell, transfer, or use individu-
    ally identifiable health information for commercial advantage, personal gain,
    or malicious harm, be fined not more than $250,000, imprisoned not more
    than [ten] years, or both.’’
    19
    This question had been raised in connection with proposed language
    for 45 C.F.R. § 160.202 that would have specifically defined the application
    of the phrase ‘‘more stringent’’ in a variety of contexts, including stating
    that ‘‘more stringent’’ means, ‘‘[w]ith respect to penalties, provides greater
    penalties.’’ (Emphasis added.) Standards for Privacy of Individually Identifi-
    able Health Information, 64 Fed. Reg. 59,918, 60,051 (November 3, 1999);
    see also 
    id., p. 59,997
    (explaining department’s initial decision to provide
    specific definitions). In the commentary to the final rule, the department
    stated that it had ‘‘reconsidered the proposed ‘penalty’ provision of the
    proposed definition of ‘more stringent’ and have eliminated it. The HIPAA
    statute provides for only two types of penalties: fines and imprisonment.
    Both types of penalties could be imposed in addition to the same type of
    penalty imposed by a state law, and should not interfere with the imposition
    of other types of penalties that may be available under state law. Thus, we
    think it is unlikely that there would be a conflict between state and federal
    law in this respect, so that the proposed criterion is unnecessary and confus-
    ing.’’ Standards for Privacy of Individually Identifiable Health Information,
    65 Fed. Reg. 82,462, 82,582 (December 28, 2000).
    20
    We also note the body of case law establishing that, in the absence of
    a private right of action under HIPAA, the federal courts lack jurisdiction
    to remove actions containing a state law claim relying on HIPAA to support
    the standard of care. This body of case law indicates HIPAA’s failure to
    preempt state law causes of action by implication. See Hearn v. Reynolds,
    
    876 F. Supp. 2d 798
    , 799–800 (S.D. Miss. 2012) (remanding removed case
    to state court because, although complaint stated that ‘‘publications
    amounted to HIPAA violations,’’ ‘‘HIPAA creates no private right of action’’
    and complaint indicated that plaintiff ‘‘is concerned primarily with an intent
    to injure his standing in the community rather than a disclosure of his
    medical history’’); Baum v. Keystone Mercy Health Plan, 
    826 F. Supp. 2d 718
    , 721 (E.D. Pa. 2011) (remanding removed case to state court although
    HIPAA ‘‘is implicated because the federal statute requires [d]efendants to
    ‘reasonably safeguard protected health information,’ such as the information
    on the misplaced USB drive, ‘from any intentional or unintentional use or
    disclosure’ . . . this is a fairly straightforward state-law tort case’’ with
    claims of negligence, negligence per se and violations of Pennsylvania’s
    unfair trade practices statute); K.V. v. Women’s Healthcare Network, LLC,
    United States District Court, Docket No. 07-0228-CV-W-DW (W.D. Mo. June
    6, 2007) (The court remanded the removed case, claiming negligence and
    negligence per se arising from HIPAA violations, to the state court because
    ‘‘the parties concede that various courts around the country have determined
    that there is no express or implied private cause of action under HIPAA.
    Additionally, the state law claim raised in [c]ount [9] does not raise a substan-
    tial federal question of great federal interest. The privacy standards imposed
    by HIPAA are not uniquely federal and do not raise any issue of great federal
    interest.’’); Harmon v. Maury County, United States District Court, Docket
    No. 1:05CV0026 (M.D. Tenn. August 31, 2005) (The court remanded the
    removed case to the state court because, although the plaintiffs’ negligence
    per se claims cited HIPAA privacy regulation, ‘‘Congress did not provide an
    exclusive federal remedy under HIPAA and HIPAA does not completely
    preempt state law. There is no compelling federal interest nor is a substantial
    federal question presented. [The] [p]laintiffs’ claims fall within that broad
    class of state law claims based on federal regulations in the state court, as
    described in [Grable & Sons Metal Products, Inc. v. Darue Engineering &
    
    Mfg., supra
    , 
    545 U.S. 308
    ].’’).
    21
    We find misplaced the defendant’s reliance on the Kentucky decision
    in Young v. 
    Carran, supra
    , 
    289 S.W.3d 586
    , and the Maine decision in Bonney
    v. Stephens Memorial 
    Hospital, supra
    , 
    17 A.3d 123
    . The court in Young held
    only that HIPAA does not provide a private right of action—a proposition
    not challenged by the plaintiff in this appeal—and that the HIPAA regulations
    could not be used to support a negligence per se claim because of a Kentucky
    statute that previously had been interpreted by the state’s Supreme Court
    to limit negligence per se claims to violations only of Kentucky state statutes.
    See Young v. 
    Carran, supra
    , 588–89, citing T & M Jewelry, Inc. v. Hicks
    ex rel. Hicks, 
    189 S.W.3d 526
    , 530 (Ky. 2006). Indeed, the Kentucky court
    indicated that a properly pleaded claim of negligence, rather than negligence
    per se, could be founded on federal regulatory violations, noting that, in
    T & M Jewelry, Inc., the Kentucky Supreme Court had ‘‘used provisions of
    the federal Gun Control Act of 1968 to define a duty of care for purposes
    of a common law negligence action—not a . . . negligence per se claim.’’
    Young v. 
    Carran, supra
    , 589.
    Bonney similarly held only that HIPAA did not afford the plaintiffs therein
    a private right of action, and specifically noted that ‘‘HIPAA standards, like
    state laws and professional codes of conduct, may be admissible to establish
    the standard of care associated with a state tort claim,’’ which is precisely
    what the plaintiff in this appeal seeks to do. Bonney v. Stephens Memorial
    
    Hospital, supra
    , 
    17 A.3d 127
    –28.
    Finally, we disagree with the defendant’s attempt to diminish the Utah
    Court of Appeals decision in Sorensen v. 
    Barbuto, supra
    , 
    143 P.3d 299
    n.2,
    which had rejected the claim that the plaintiff was ‘‘not entitled to a private
    right of action for breach of professional standards,’’ which included ‘‘HIPAA,
    the American Medical Association’s Principles of Medical Ethics, and the
    Hippocratic Oath.’’ The Utah court emphasized that the plaintiff therein did
    not contend that those provisions afforded him a private right of action,
    but ‘‘[r]ather . . . that the professional standards contribute to the proper
    standard of care . . . .’’ 
    Id. Plainly implicit
    in this conclusion is that it is
    proper in Utah to utilize HIPAA as evidence of the standard of care in
    negligence actions.
    22
    Although it is not entirely clear from her brief, the record, or the allega-
    tions in the operative complaint whether the plaintiff seeks to use the HIPAA
    regulations simply as evidence of the standard of care, or as a basis for
    negligence per se, this lack of clarity does not affect our preemption analysis.
    We note, however, that whether the particular HIPAA regulations at issue
    are suitable for use as a legislatively imposed standard of care for purposes
    of establishing negligence per se is a potentially complex question of law
    that has not been adequately briefed by the parties herein, and therefore,
    is one that we need not decide in this appeal. See, e.g., Gore v. People’s
    Savings Bank, 
    235 Conn. 360
    , 380, 
    665 A.2d 1341
    (1995) (‘‘[i]n deciding
    whether the legislature intended to provide for such statutory liability, we
    look to the language of the statute and to the legislative history and purposes
    underlying the provision’s enactment’’).