US Pharm. 2014;39(7):46-47.
Assume that a long-term patient of the pharmacy has several prescriptions on file. You access those files to determine which medications the patient has taken in the past and is currently using. You then tell your spouse about this information. Assume further that the patient learns of this spousal discussion. Is the patient allowed to sue you and the pharmacy for breach of privacy rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?
According to one recent case, the answer is yes, at least indirectly. In 2013, an Indiana jury found in favor of the plaintiff and awarded her a judgment in the amount of $1.44 million against the pharmacy (Walgreens) that had employed the pharmacist who had breached the HIPAA privacy rights.1
Facts of the Case
The parties agreed to the following facts2:
- The plaintiff maintained an exclusive medical prescription account with Walgreens during all relevant times.
- The pharmacist was licensed and had access to the plaintiff’s confidential prescription information at Walgreens.
- Walgreens forbids access to patient information for personal reasons. The pharmacist was aware of this rule.
- The pharmacist was informed by her husband of past sexual conduct with the plaintiff, and her husband raised the possibility of a sexually transmitted disease.
- The pharmacist intentionally accessed the plaintiff’s confidential prescription information on a Walgreens computer during her regular work shift.
- The plaintiff received a text message the same day from a phone number she recognized as belonging to the pharmacist’s husband (her ex-boyfriend), causing her to believe that her confidential Walgreens prescription information had been accessed and disclosed.
- The plaintiff immediately phoned Walgreens to report the incident and discuss it.
- Subsequently, the pharmacist again accessed the plaintiff’s confidential information.
The complaint against the pharmacy alleged that: 1) the pharmacy owed the plaintiff a nondelegable duty to protect the privacy and confidentiality of its customers’ prescription histories and pharmaceutical information, which it breached; 2) the pharmacy owed a duty to its customers to properly train its pharmacists in the protection of customer privacy, to supervise them, and to “take appropriate steps” after learning of an employee failure in this regard, all of which it breached; and 3) the pharmacist herself allegedly owed a duty to customers to protect their prescription information, which she breached by sharing it with a third party.
Motion for Summary Judgment
Under Indiana law, an employee’s liable acts can be imputed to the employer if: 1) the act in question is “incidental” to other authorized conduct; or 2) the act “furthers the employer’s business.” In this case, the court noted that there were two possible ways of looking at the facts. On one hand, the nature of the pharmacist’s conduct involved training and duties only derived from her employment. On the other hand, her subjective motivation could be interpreted as independent from any authorized action.
The plaintiff argued that even though HIPAA does not expressly give individuals who are harmed by the release of Protected Health Information (PHI) direct access to sue, it still sets the standards for confidentiality of PHI. The law was intended to protect confidentiality and establish privacy right through the notion of PHI. Thus, the breach of HIPAA rights established the breach of the applicable standard of care as alleged in the complaint. The plaintiff also argued that the employee pharmacist was acting within the scope of her duties and therefore the pharmacy should be liable for the employee’s negligent and intentional acts.
The court held that a jury would need to consider the facts and that summary judgment was not appropriate. Similarly, the court found that the facts were in question in the plaintiff’s claim of public disclosure of private facts and, thus, that the claim was not suitable for summary judgment. The court granted summary judgment to Walgreens on the claims of negligent training and invasion of privacy by intrusion.4
After trial, the jury issued a verdict in favor of the plaintiff. The jury found that the amount of damages she was entitled to recover was $1.8 million, but that the pharmacist’s husband (not a party to the case) was 20% at fault. Thus, the award to the plaintiff was $1.44 million.5 However, because the jury’s verdict was much greater than the amount for which the plaintiff had offered to settle the case, the trial judge increased the award to $1,611,259.6
One of the primary goals of HIPAA when it was enacted was to protect the confidentiality and security of healthcare information. Medical providers are required to maintain the privacy of their patient’s medical records and cannot release them without a valid authorization.
HIPAA provides civil penalties for noncompliance ranging from $100 to $50,000 a day, with a calendar-year cap of $1,500,000. There are also potential criminal penalties with fines as much as $250,000 and jail time up to 10 years depending on the type of wrongful conduct and the criminal intent behind the violation.
While HIPAA provides both civil and criminal penalties for improper disclosure of health information, it does not create a state-based private cause of action for violation of its provisions. Thus, when someone’s PHI is inappropriately shared or disclosed by a healthcare provider, the individual does not have personal legal recourse against the offending party. In point of fact, other courts considering the issue have held that HIPAA does not create a private cause of action.7
For this reason, victims and their lawyers have often subscribed to the theory that a HIPAA violation does not allow victims to take a covered entity for a “private cause of action,” meaning they cannot sue as individuals over a privacy breach.
This case, however, illustrates that HIPAA still has a significant role in state court suits alleging negligence and professional liability as it relates to confidentiality. The plaintiff did not sue the pharmacy for violating HIPAA (as that is not permitted by the federal statute), but rather sued Walgreen Co. under state law for negligence, invasion of privacy, and breach of fiduciary duties, using HIPAA to establish the acceptable standard of care for privacy protection.8
The question of an employer’s liability for the actions of its employees usually turns on whether the employee was acting within the scope of his or her employment. Employers are vicariously liable for the negligent actions of their employees committed within the scope of their employment under the legal doctrine of respondeat superior. Employers are generally not liable for the intentional acts of their employees unless those acts further the legitimate interests of the employer.9
This case should serve as notice to pharmacists not to access any patient information for personal reasons not related to professional duties. Pharmacy operators and managers should take equal precaution. Employers should seriously consider terminating any employees who intentionally disclose PHI for their own personal interests. The employer’s risk in retaining the errant employee could be expensive. An employee who has intentionally disclosed PHI has violated federal and state laws, as well as the professional obligations of his or her practice. An employee who will intentionally violate those laws and professional obligations is highly likely to repeat that conduct despite any remedial action taken by the employer short of termination.
Hinchy v. Walgreen Co., et al, No. 49D06 11 08 CT029165 (Marion Co. Sup Ct,
Ind, filed August, 1, 2011).
2. Walgreen’s must pay $1.4 million to woman in state law case with HIPAA-type claims. O’Brien Privacy Law Center. August 1, 2013. http://obrienprivacylaw.com/privacy-litigation/walgreens-must-pay-1-4-million-to-woman-in-state-law-case-with-hipaa-type-claims/. Accessed May 13, 2014.
3. Ouellette P. Will Walgreens breach ruling affect future HIPAA violations? Health IT Security. August 13, 2013. http://healthitsecurity.com/2013/08/13/will-walgreens-breach-ruling-affect-future-hipaa-violations/. Accessed May 14, 2014.
4. HIPPA. Legal Medicine Q&A. 2013 ;14(6):1-2. http://aclm.org/getattachment/dec88476-1a36-4107-aace-ce44cc294ade/November-December-2013.aspx. Accessed May 13, 2014.
5. Walgreens must pay woman $1.44 million over HIPAA violation. Indian Star. July 26, 2013. www.indystar.com/article/20130726/NEWS/307260079/Walgreens-must-pay-woman-1-44-million-over-HIPAA-violation. Accessed May 13, 2014.
6. Neal F. Eggeson, Attorney at Law. Trial results. http://indianaprivacylaw.com/trial-results. Accessed May 14, 2014.
7. “Despite the potential for significant penalties, HIPAA has for the most part been a toothless tiger because the Courts have typically found that there is no private cause of action under HIPAA.” Dean v. City of New Orleans, 2013 U.S. App. LEXIS 9106 (5th Cir. La. May 3, 2013) ; citing Acara v. Banks, 470 F3d 569, 572 (5th Cir. 2006). http://randywallace.wordpress.com/tag/hinchy-v-walgreen/. Accessed May 13, 2014.
8. McBrayer, McGinnis, Leslie & Kirkland, PLLC. Archive for category Hinchy v. Walgreen Co.: a new reason to protect protected health information. Health Care Law. April 22, 2014. http://mcbrayerhealthcare.com/category/hinchy-v-walgreen-co/. Accessed May 13, 2014.
9. Smith ML. Employer liability for employee’s intentional misuse of protected health information. The Health Law Firm. www.thehealthlawfirm.com/resources/health-law-articles-and-documents /Confidential-Health-Information.html. Accessed May 14, 2014.
To comment on this article, contact firstname.lastname@example.org.