Court Upholds $1.4 Million Privacy Verdict

Walgreens Case Invokes HIPAA as a Benchmark
Court Upholds $1.4 Million Privacy Verdict

A second state court ruling in recent weeks calls attention to how incidents involving alleged patient privacy violations can lead to negligence lawsuits that invoke HIPAA as a benchmark.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

In the most recent case, the Indiana appellate court has upheld a $1.4 million jury verdict awarded in 2013 to a customer that alleged her privacy was violated by a Walgreens pharmacist who inappropriately reviewed and shared the woman's prescription history with a third party.

In July 2013, a jury in Marion County, Ind., awarded the damages to Abigail Hinchy after her prescription history was provided to her ex-boyfriend, Davion Peterson, by a Walgreens pharmacist, Audra Withers, who was married to Peterson .

Walgreens appealed the jury's decision, but the appellate court on Nov. 14 upheld the lower court ruling. The pharmacy chain tells Information Security Media Group that it plans to appeal once again to the state's supreme court.

"In this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client's ex-boyfriend," says the court of appeals in its decision. "A jury heard extensive evidence during a four-day trial and ultimately found that the pharmacist and her employer are liable for the damages sustained by the customer as a result of the breach. We are loath to disturb jury verdicts and decline to do so in this case."

HIPAA does not permit a "private cause of action" for individuals to sue for violations of the federal law. But the Walgreens case, like a similar case in Connecticut, gets around that by, instead, alleging negligence under state statutes for failing to meet HIPAA requirements, invoked as the "standard of care" for protecting patient information.

The Connecticut Supreme Court earlier this month paved the way for a similar negligence case to proceed (see Court Allows HIPAA Negligence Claims). That case, Emily Byrne vs. Avery Center for Obstetrics and Gynecology involved a patient who sued a healthcare clinic that released her medical records to a third party, under subpoena, without informing Byrne or getting her permission. That ultimately resulted in her ex-boyfriend allegedly viewing Byrne's health records and using them to harass, embarrass and extort her, says attorney Bruce Elstein, of law firm Goldman, Gruder & Woods, who represents the plaintiff in that case.

Damages Upheld

Attorney Neal Eggeson of Eggeson Appellate Services, who represented the plaintiff in the Walgreens case, tells ISMG that the Indiana ruling is particularly significant because it upholds damages in a privacy case involving allegations of negligence.

"There haven't been many HIPAA cases involving negligence, and not many have gone through trial," Eggeson says. "Now, a published decision says that not only can you sue for HIPAA negligence, but an appeals court has upheld a seven-figure decision against a healthcare entity for HIPAA privacy negligence."

The courts are recognizing that HIPAA doesn't preclude negligence cases when HIPAA is the "standard of care" that healthcare providers use to protect patient privacy, Eggeson says.

Importance of Privacy

Some legal experts say the recent court decisions highlight the importance of the HIPAA Privacy Rule's mandates to safeguard patient information.

"It does not surprise me that state-level courts are deciding to find the HIPAA privacy and security rules set the generally accepted standard on how health information may be used and disclosed," says attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Juries deciding these cases are acting on their belief of what is right or wrong after a thorough examination of the facts.

"The privacy protections, like those in the HIPAA Privacy Rule, are the most recognizable tool that allows for evaluating what is acceptable conduct. Just as importantly, courts are supporting the notion that there can be real and demonstrable harm that results from the disclosure of sensitive health information with a malicious intent to cause emotional pain or injure a person's reputation."

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who is not involved in either the Indiana or Connecticut cases, says the two rulings are the most recent examples of how some HIPAA-related lawsuits can withstand legal scrutiny.

"There has been an opening to use HIPAA in other [negligence suits] claims for some time," he says.

"For example, back in 2007 a plaintiff successfully used HIPAA as the standard of care in a negligence case in Acosta v. Byrum, and there were discussions back then as to whether the North Carolina case would open the floodgates to private rights of actions under HIPAA," he says. "We haven't seen that many such cases since 2007."

That North Carolina case involved a patient who sued her healthcare provider for negligence after the provider granted a third party unauthorized access to the patient's psychiatric and other medical records.

The $1.4 million verdict in the recent Indiana case may lead others to file civil negligence suits, brough under state and other statutes, that invoke the HIPAA benchmark, Greene predicts. Nonetheless, many of those cases will still face uphill battles in court. "There will often be challenges with such suits, such as demonstrating damages from a breach of confidentiality," Greene says.

Holtzman predicts more privacy cases will be filed "as more states pass laws establishing how sensitive personal information must be protected from unauthorized use and disclosure, along with courts recognizing a right of privacy when there is proof of harm suffered by an individual victim."

Walgreens, in a statement provided to ISMG, says, "We take seriously our responsibility to safeguard the privacy of medical records in our possession. The pharmacist in this case admitted she was aware of our strict privacy policy and knew she was violating it. She was appropriately disciplined for her action. We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy. We intend to appeal the ruling."

The August 2011 complaint filed by Hinchy against the pharmacist claimed, among other things, negligence, professional malpractice and invasion of privacy. The lawsuit also charged that Walgreens was liable for the pharmacist's actions and alleged the retail chain was guilty of negligence for a lack of training and supervision, among other factors.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network