In what’s being touted as a national precedent, the Indiana Court of Appeals upheld a $1.4 million trial court verdict for a Walgreens customer whose prescription information was leaked by a pharmacist to a third party. This may be one of the first times a health care provider was found liable under state negligence law for an employee’s failure to follow the federal Health Insurance Portability and Accountability Act (HIPAA)—and serves as a cautionary tale for employers in every state.
The facts in Walgreen Co. v Hinchy (Ind App, Nov. 14, 2014, No. 49A02-1311-CT-950) 2014 Ind App Lexis 560, resemble a sordid soap opera: Abigail and Davion were in an on and off relationship for years. Towards the end of their relationship, Davion began dating Audra, who was a pharmacist at the Walgreens where Abigail filled all her medical prescriptions.
Shortly after Davion and Audra met, Abigail became pregnant with Davion’s child and gave birth to a son. Davion then learned he had genital herpes. Davion informed Audra about the baby and her possible exposure to herpes. Scared of contracting a sexually transmitted disease, Audra looked up Abigail’s prescription records in the Walgreens database during working hours. Davion then sent a text message to Abigail telling her that he had a printout of her prescription records that showed she failed to refill her birth control pills without telling him.
Abigail eventually learned that Davion and Audra had married and that Audra was a pharmacist at the Walgreens where she filled her prescriptions—Abigail connected the dots and sued both Walgreens and Audra. Against Audra, she claimed negligence in professional malpractice, public disclosure of private facts, and invasion of privacy by intrusion. Against Walgreens, she asserted liability under respondeat superior on the same counts, negligent training, negligent supervision, negligent retention, and negligence in professional malpractice.
The jury found for Abigail, concluding that her total damages were $1.8 million. It held non-party Davion responsible for 20 percent, and Walgreens and Audra responsible for the remaining 80 percent. The jury found that Walgreens was liable on a theory of respondeat superior because much of Audra’s illegal conduct was generally similar to her ordinary job duties.
The jury determined the large award was appropriate based on evidence that Audra gained information about Abigail’s private health information and shared it with Davion, who then shared it with others; the disclosure lead to Davion berating Abigail for intentionally getting pregnant and threatening to release details of her prescription use to her family unless she abandoned her paternity suit against him; and that Abigail suffered mental distress, humiliation, anguish, and depression as a result of the disclosures. Walgreens unsuccessfuly appealed.
An article on Law360 sets out four important lessons every health care employer should take from this case:
- Have clear policies in place on when and how employees may access data;
- Monitor employee actions on the job;
- Implement robust disincentives for unauthorized access; and
- Address customer concerns about their health information privacy.
This decision should also highlight that, although there’s no private right of action against health care providers under HIPAA, a HIPAA-style violation nevertheless might give rise to liability under state law.
CEB can help keep your clients compliant and healthy. On health information privacy, check out CEB’s Privacy Compliance and Litigation in California, chap 7. For discussion of respondeat superior and an employer’s vicarious liability for employee acts, turn to CEB’s Advising California Employers and Employees, chap 14 and Employment Damages and Remedies.
Other CEBblog™ posts you may find interesting:
- A Victory for Personal Information Privacy
- Medical Privacy: the Final Final Rule
- Privacy for Employees’ Personal Emails — It’s All in the Policy
© The Regents of the University of California, 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.