When the Indiana Court of Appeals released its decision upholding the $1.44 million jury verdict against Walgreens for privacy violations by an employee pharmacist, the press and blogosphere started buzzing about the precedent it was setting — an employer could be held liable for the HIPAA violations of an employee. This was the view espoused by the plaintiff’s attorney, Neal F. Eggeson, in a statement to the Indianapolis Star on Friday, Nov. 14, the date of the decision.
The plaintiff, Abigail Hinchy, had sued Walgreens and its pharmacist, Audra Withers, for viewing her prescription records without authorization and then disclosing the information to her husband, who was a former boyfriend of Hinchy’s and the father of her child, who threatened to use the information in a paternity lawsuit. After contacting the company, Walgreens acknowledged the HIPAA violation to Hinchy and said that it had given Withers a written warning and required her to retake a HIPAA computer training program.
Hinchy sued both Walgreens and the pharmacist. In her complaint, Hinchy alleged negligence and professional malpractice, invasion of privacy and public disclosure of private facts, and invasion of privacy/intrusion against Withers. She alleged the same causes of action against Walgreens, under the theory of “respondeat superior,” under which an employer is held responsible for the actions of employees performed within the scope of their employment. Walgreens argued that an employer should not be held liable for acts of an employee who knowingly violated company policy, in this case, HIPAA policies and procedures.
In its decision, the court of appeals cited a number of Indiana cases to explain the concept of respondeat superior. In particular, it focused on when an employee is “acting within the scope of employment when performing work assigned by the employer or engaging in a course of conduct subject to the employer’s control.” After reviewing the case law, the court concluded that “Wither’s actions were of the same general nature as those authorized, or incident to the actions that were authorized, by Walgreens.... Hinchy belonged to the same general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist.”
The court also explained that for respondeat superior liability to attach “there must also be underlying liability of the acting party,” in this case, Withers. Hinchy sued Withers on two theories of direct liability — professional malpractice and public disclosure of private facts. The court did not express an opinion on whether Indiana recognized the tort of public disclosure of private facts, which could encompass a HIPAA violation, because Walgreens had not appealed the trial court’s denial of summary judgment on the claim of privacy invasion. Instead, it considered whether Withers committed “the tort of negligence by virtue of professional malpractice of a pharmacist.” It found that under Indiana law, Withers had a duty of confidentiality to Hinchy and that she had breached that duty when she examined Hinchy’s prescription records without authorization and subsequently disclosed the information. “Under these circumstances,” the court said, “we find that the jury verdict can be affirmed based upon the respondeat superior liability of Walgreens, which attaches via the liability of Withers for her negligence/professional malpractice.”Employer Liability for Employees Is Not New
According to Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, employer liability for employee actions when acting within the scope of employment has been around forever, and to conclude that the appeal confirmed that privacy breach victims may hold employers responsible is an “overreach.” The issue in the Walgreens case was whether the employee was acting in the scope of her employment when the employee breached HIPAA and violated company policy. In this case, the jury decided that the employee was, and the appellate court declined to overturn that decision. But, according to Drummond, “in this particular case, the appellate court gave too much credence to the fact that the employee’s wrongdoing (looking at medical records she shouldn’t have looked at) was very similar to activities the employee would take in the performance of her legitimate duties (looking at medical records she should look at); if that’s the case, a waiter stealing a customer’s credit card number would be attributable to the restaurant owner, which doesn’t seem fair.”
Walgreens also argued that the $1.44 million jury verdict was excessive and based on improper factors. The court cited evidence admitted at trial regarding the damages and dismissed Walgreens’ arguments because they amounted to a request to reweigh the evidence, which, the court said, it does not do when evaluating a damages award. It found the evidence presented sufficient to support the award.
Privacy attorney Adam Greene of the law firm of Davis Wright Tremaine points out, “Even if a plaintiff can demonstrate a violation of HIPAA, a challenge has been showing damages. What remains to be seen is whether the $1.4 million verdict in the Walgreens case leads to similar findings of harm in other state cases, or whether this was a particularly unique fact pattern.”
Drummond points out that “while the pharmacist definitely ‘used’ PHI improperly by accessing PHI she should not have accessed, the plaintiff’s damages came not from that use, but from a further ‘disclosure’ of the data” to Withers’ husband, the father of Hinchy’s child. While the pharmacist’s improper use of the PHI closely tracked the pharmacist’s proper uses of PHI, any disclosure (which would be required for the damages to occur) would not be within the pharmacist’s normal employment activities and might provide a good argument that the actions of the pharmacist were outside the scope of employment.”
Walgreens plans to appeal the court of appeal’s decision.What Is the Impact on Other State Cases?
So how much impact will this decision have on other state cases alleging privacy violations using HIPAA as the standard of care? Are employers now more likely to be held liable for employees who violate HIPAA while on the job?
According to Drummond, “I don’t think there were too many plaintiffs sitting on the sidelines, not making legitimate state-law claims because they know there’s no private cause of action under HIPAA. I’ve thought all along that, while clearly you can’t sue for a HIPAA violation, you could still sue for a state law violation. These cases may make plaintiffs’ lawyers more interested in bringing marginal cases, where there’s no clear state law allowing a breach of confidentiality claim. But where there’s a clear state law right to sue, I don’t think HIPAA’s ‘no private cause of action’ standard has been much of an impediment,” even before the Walgreens case.
Covered entities, Drummond says, should “have strong, consistent, and enforced policies and procedures. Draft clear data use and disclosure rules and information pathways, and constantly remind your employees of their duties and obligations. Regularly audit your employees and their data access/use/disclosure activities, and encourage your employees to keep tabs on each other (to positively reinforce data rules, but also to report suspicious activities). Promptly correct errors and mistakes, and punish employees who willfully or carelessly violate policies and procedures. Covered entity employers must take visible steps to place HIPAA-violating activities outside the ‘scope of duties’ of their employees in any way they can.”