HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health

Does Walgreens Loss Set a Precedent for Employer Liability for HIPAA Violations? | AIS Health | HIPAA Compliance for Medical Practices | Scoop.it

When the Indiana Court of Appeals released its decision upholding the $1.44 million jury verdict against Walgreens for privacy violations by an employee pharmacist, the press and blogosphere started buzzing about the precedent it was setting — an employer could be held liable for the HIPAA violations of an employee. This was the view espoused by the plaintiff’s attorney, Neal F. Eggeson, in a statement to the Indianapolis Star on Friday, Nov. 14, the date of the decision.

The plaintiff, Abigail Hinchy, had sued Walgreens and its pharmacist, Audra Withers, for viewing her prescription records without authorization and then disclosing the information to her husband, who was a former boyfriend of Hinchy’s and the father of her child, who threatened to use the information in a paternity lawsuit. After contacting the company, Walgreens acknowledged the HIPAA violation to Hinchy and said that it had given Withers a written warning and required her to retake a HIPAA computer training program.

Hinchy sued both Walgreens and the pharmacist. In her complaint, Hinchy alleged negligence and professional malpractice, invasion of privacy and public disclosure of private facts, and invasion of privacy/intrusion against Withers. She alleged the same causes of action against Walgreens, under the theory of “respondeat superior,” under which an employer is held responsible for the actions of employees performed within the scope of their employment. Walgreens argued that an employer should not be held liable for acts of an employee who knowingly violated company policy, in this case, HIPAA policies and procedures.

In its decision, the court of appeals cited a number of Indiana cases to explain the concept of respondeat superior. In particular, it focused on when an employee is “acting within the scope of employment when performing work assigned by the employer or engaging in a course of conduct subject to the employer’s control.” After reviewing the case law, the court concluded that “Wither’s actions were of the same general nature as those authorized, or incident to the actions that were authorized, by Walgreens.... Hinchy belonged to the same general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist.”

The court also explained that for respondeat superior liability to attach “there must also be underlying liability of the acting party,” in this case, Withers. Hinchy sued Withers on two theories of direct liability — professional malpractice and public disclosure of private facts. The court did not express an opinion on whether Indiana recognized the tort of public disclosure of private facts, which could encompass a HIPAA violation, because Walgreens had not appealed the trial court’s denial of summary judgment on the claim of privacy invasion. Instead, it considered whether Withers committed “the tort of negligence by virtue of professional malpractice of a pharmacist.” It found that under Indiana law, Withers had a duty of confidentiality to Hinchy and that she had breached that duty when she examined Hinchy’s prescription records without authorization and subsequently disclosed the information. “Under these circumstances,” the court said, “we find that the jury verdict can be affirmed based upon the respondeat superior liability of Walgreens, which attaches via the liability of Withers for her negligence/professional malpractice.”

Employer Liability for Employees Is Not New

According to Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP, employer liability for employee actions when acting within the scope of employment has been around forever, and to conclude that the appeal confirmed that privacy breach victims may hold employers responsible is an “overreach.” The issue in the Walgreens case was whether the employee was acting in the scope of her employment when the employee breached HIPAA and violated company policy. In this case, the jury decided that the employee was, and the appellate court declined to overturn that decision. But, according to Drummond, “in this particular case, the appellate court gave too much credence to the fact that the employee’s wrongdoing (looking at medical records she shouldn’t have looked at) was very similar to activities the employee would take in the performance of her legitimate duties (looking at medical records she should look at); if that’s the case, a waiter stealing a customer’s credit card number would be attributable to the restaurant owner, which doesn’t seem fair.”

Walgreens also argued that the $1.44 million jury verdict was excessive and based on improper factors. The court cited evidence admitted at trial regarding the damages and dismissed Walgreens’ arguments because they amounted to a request to reweigh the evidence, which, the court said, it does not do when evaluating a damages award. It found the evidence presented sufficient to support the award.

Privacy attorney Adam Greene of the law firm of Davis Wright Tremaine points out, “Even if a plaintiff can demonstrate a violation of HIPAA, a challenge has been showing damages. What remains to be seen is whether the $1.4 million verdict in the Walgreens case leads to similar findings of harm in other state cases, or whether this was a particularly unique fact pattern.”

Drummond points out that “while the pharmacist definitely ‘used’ PHI improperly by accessing PHI she should not have accessed, the plaintiff’s damages came not from that use, but from a further ‘disclosure’ of the data” to Withers’ husband, the father of Hinchy’s child. While the pharmacist’s improper use of the PHI closely tracked the pharmacist’s proper uses of PHI, any disclosure (which would be required for the damages to occur) would not be within the pharmacist’s normal employment activities and might provide a good argument that the actions of the pharmacist were outside the scope of employment.”

Walgreens plans to appeal the court of appeal’s decision.

What Is the Impact on Other State Cases?

So how much impact will this decision have on other state cases alleging privacy violations using HIPAA as the standard of care? Are employers now more likely to be held liable for employees who violate HIPAA while on the job?

According to Drummond, “I don’t think there were too many plaintiffs sitting on the sidelines, not making legitimate state-law claims because they know there’s no private cause of action under HIPAA. I’ve thought all along that, while clearly you can’t sue for a HIPAA violation, you could still sue for a state law violation. These cases may make plaintiffs’ lawyers more interested in bringing marginal cases, where there’s no clear state law allowing a breach of confidentiality claim. But where there’s a clear state law right to sue, I don’t think HIPAA’s ‘no private cause of action’ standard has been much of an impediment,” even before the Walgreens case.

Covered entities, Drummond says, should “have strong, consistent, and enforced policies and procedures. Draft clear data use and disclosure rules and information pathways, and constantly remind your employees of their duties and obligations. Regularly audit your employees and their data access/use/disclosure activities, and encourage your employees to keep tabs on each other (to positively reinforce data rules, but also to report suspicious activities). Promptly correct errors and mistakes, and punish employees who willfully or carelessly violate policies and procedures. Covered entity employers must take visible steps to place HIPAA-violating activities outside the ‘scope of duties’ of their employees in any way they can.”

No comment yet.

Employer liability for HIPAA violations: a new day dawning? | Lexology

Employer liability for HIPAA violations: a new day dawning? | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

The Indiana Court of Appeals recently issued an opinion in the case of Walgreen Co. vs Hinchy that could permanently alter the landscape for employer liability for HIPAA violations committed by employees.  Health care providers should be aware of this case and take actions to limit their exposure to this type of liability.


In 2010, a Walgreen Co. (“Walgreens”) pharmacist utilized her information access rights to review the prescription records for her current boyfriend’s ex-girlfriend.  The purpose for accessing the records was to obtain information about the ex-girlfriend’s use of prescriptions for birth control and a sexually transmitted disease.  Evidence indicated that the pharmacist also shared the information she found with her boyfriend, who shared it with at least three other individuals.  When the ex-girlfriend became aware of the potential that her information had been improperly accessed, she contacted a local Walgreens pharmacy but was informed by a person at that store that they could not track whether her records had been accessed.

When the ex-girlfriend eventually learned of her ex-boyfriend’s relationship with a Walgreens pharmacist, she again contacted Walgreens, who, after investigation, confirmed that the pharmacist had viewed the information for personal purposes in violation of HIPAA.  Walgreens disciplined the pharmacist with a written warning and by requiring her to take additional online HIPAA training.  The ex-girlfriend subsequently filed suit against both the pharmacist and Walgreens in Marion County, Indiana, alleging claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, invasion of privacy/intrusion, negligent training, negligent supervision, negligent retention and negligence/professional malpractice.  In July 2013, a jury found in favor of the ex-girlfriend and held Walgreens and the pharmacist liable for $1.4 million in damages.  Walgreens appealed that verdict to the Indiana Court of Appeals.

The Appellate Court Decision 

The Indiana Court of Appeals affirmed the trial court’s verdict, holding that the trial court did not commit reversible error in its various rulings and that the damages award was not excessive.  The underlying theory of liability for the jury verdict was not clear to the appellate court, but the court noted that sufficient evidence was presented to the jury to justify a verdict based on negligence by virtue of professional malpractice of a pharmacist.  Essentially, the court recognized that pharmacists owe their customers a duty of confidentiality and that a breach of that duty can cause damages to the customer.  Whether the pharmacist’s breach of that duty can also be attributed to Walgreens became the focus of the appellate court’s opinion.

Walgreens alleged on appeal that the trial court should not have sent the case to the jury for claims based on respondeat superior because the employee was acting outside the scope of her employment when she inappropriately accessed the records.  Respondeat superior is the doctrine regarding when an employer will be held liable for the acts of its employees.  Walgreens had argued that the trial court should have determined as a matter of law that Walgreens was not liable for the actions of the pharmacist because those actions were prohibited by Walgreens policy and inconsistent with the HIPAA training Walgreens provided the pharmacist and thus outside the scope of her employment.

The appellate court determined that whether the pharmacist’s conduct was within the scope of her employment was a proper question for the jury since her actions “were of the same general nature as those authorized, or incidental to the actions that were authorized by Walgreen.”  According to the court, since the pharmacist had legitimate access to patient prescription histories on the Walgreens computer system, her misuse of that access for personal reasons remained within the scope of her employment.  The appellate court thus affirmed the jury verdict based upon Walgreens’ respondeat superior liability for the negligence/professional malpractice of the pharmacist.

The appellate court also upheld the amount of the jury verdict, holding that there was sufficient evidence in the record to support holding Walgreens and the pharmacist liable for $1.4 million in damages.  Factors cited by the appellate court in support of the damage amount included:

  • The ex-girlfriend’s records included sensitive information about her use of birth control and treatment for a sexually transmitted disease;
  • The information became known to several people, including the ex-girlfriend’s father; and
  • The ex-girlfriend testified that she experienced emotional harm that affected her ability to care for her child and caused her to begin taking a more expensive antidepressant.

Walgreens argued that the damages were excessive and based on improper factors because the ex-girlfriend did not have any physical injuries or conditions resulting from the breach, she did not lose any wages as a result of the breach, and she did not offer any professional testimony supporting her claimed emotional harm.  The appellate court refused to reweigh the evidence and change the damage amount awarded by the jury.


In upholding the verdict against Walgreens, the appellate court established some precedent that should get the attention of health care providers.  The case is important in a few ways.  First, it recognizes that a health care provider in Indiana may be held liable for monetary damages arising from a wrongful disclosure of patient information on a professional malpractice theory.  In essence, the court is recognizing the duty of confidentiality as part of the professional standard of care for health care providers.  Second, the court is permitting such liability even in the absence of physical harm or professional testimony to support claimed emotional harm.  This could materially lower the bar for proving damages in these types of cases.

Third, the case establishes that a health care provider could still be liable for a wrongful use or disclosure by an employee even where the employee’s actions directly contravene the provider’s established and implemented confidentiality policies.  Health care providers are required by HIPAA and other authorities to have policies governing the use and disclosure of health information and to train their workforce members to follow those policies.  This case makes it clear that compliance with HIPAA and those other authorities is not sufficient to avoid liability to individuals for the wrongful actions of employees.


In order for health care providers to reduce the likelihood of liability to patients for the wrongful use or disclosure of health information by employees, providers should consider the following recommendations:

  • Ensure that the provider has strict policies forbidding the use or disclosure of patient information for non-work-related purposes and enforce those policies consistently when potential issues arise.  If liability is possible where policies and procedures already are in place, then the failure to have clear policies in this regard will make proving such a case that much easier.
  • Regularly monitor and track access to patient information by workforce members.  Providers should have a process in place for auditing workforce access to patient information that proactively seeks to identify and prevent the potential inappropriate use and disclosure of such information.  Audit processes can serve as an effective deterrent for employees considering such activity.
  • When an instance of potential wrongful use or disclosure is discovered, the provider’s process should require the immediate loss or suspension of the individual’s access to patient information until the issue can be investigated and resolved.
  • Have personnel policies that allow for the imposition of significant disciplinary action, including termination, when an employee uses his or her legitimate access to health information for personal purposes.  Meaningful and decisive disciplinary action might help reduce the likelihood that an individual will bring an action against the provider for the actions of that employee.   The potential for such disciplinary action also can serve as an effective deterrent to employees considering misusing health information.
  • Be sure that policies and procedures are in place governing the receipt of patient complaints and that all appropriate workforce members are trained on those procedures.  How patient complaints are handled from the beginning can be a material factor in a given individual’s decision whether to sue the provider for a wrongful use or disclosure.

No comment yet.