Walgreens Employee’s $1.44M HIPAA Violation Upheld in Court
Employee’s HIPAA Violation Results in $1.44 Million Jury Verdict Against Employer | Seigfreid Bingham, P.C. | A Kansas City, MO Law Firm
Last month, the Indiana Court of Appeals upheld a $1.44 million jury verdict against Walgreens and a pharmacist employed by Walgreens for breaching their duties to keep customer prescription history private. In this case, the pharmacist used private customer prescription history information for her own personal purposes.
Ground-breaking opinion
According to Indianapolis attorney Neal F. Eggeson Jr. (the victim’s attorney), this is the first published appellate court opinion that upheld a jury verdict that held an employer liable for an employee’s violation of the Health Insurance Portability and Accountability Act (HIPAA).
Several things about this case are noteworthy:
- The court is sending a strong signal that it takes the privacy of medical information seriously;
- Although this was a private lawsuit, and although HIPAA violations are not in themselves grounds for private lawsuits, the plaintiff argued that by violating HIPAA, the pharmacist violated the standard of care owed to the plaintiff. Therefore, the plaintiff alleged, Walgreens was negligent, and the pharmacist engaged in professional malpractice, both of which are grounds for a private lawsuit; and
- Using a broad definition of the “scope of employment” doctrine, the court affirmed that the pharmacist was acting within the scope of her employment when she revealed the private medical records and, therefore, Walgreens could be liable for her actions.
Love triangle
The situation that prompted the pharmacist to violate a customer’s privacy involved a complicated love triangle situation, which started when the pharmacist found out that her husband fathered a child with his ex-girlfriend. The pharmacist then accessed the prescription history of the ex-girlfriend to get information about her prescriptions for birth control and for a sexually transmitted disease. The pharmacist shared the information with her husband, who then shared it with at least three other people. The husband threatened his ex-girlfriend with the information, saying he would use it against her in a paternity suit.
Employer held liable
Although Walgreens argued that it should not be held liable because the pharmacist’s actions were beyond the scope of her employment, the trial court and appellate court disagreed. Walgreens said that it had a strict policy about privacy, that the pharmacist knew about the policy, and that she knowingly violated the policy. When Walgreens learned about the incident, it issued a written warning to the pharmacist and required her to get additional training on HIPAA.
The court found that because Walgreens had authorized the pharmacist to look up customer information on its computer system, the pharmacist’s actions could be construed as within the scope of her employment, which is the necessary test for employer liability for the actions of its employees. Walgreens plans to appeal.
What healthcare employers can do
These are some of the steps that employers can take to reduce their risk of being sued in a similar situation:
- Provide training at least once per year for employees on the proper handling of customer information;
- Pay attention to complaints from customers about privacy violations;
- Do not provide employees with any more access to customer information than they need to do their jobs; and
- Create and document a strong policy prohibiting employees from snooping in customer files as part of a comprehensive set of HIPAA policies and procedures.
