INDIANA APPEALS COURT UPHOLDS $1.4 MILLION VERDICT
AGAINST WALGREEN CO., FOR HIPAA VIOLATIONS
A recent decision by the Indiana Court of Appeals in the case of Walgreen Co. vs. Hinchy held that health care employers may be liable for HIPAA violations committed by their employees.
In August 2011, Abigail Hinchy (“Hinchy”) sued Walgreen Co. (“Walgreens”), when she discovered that one of its pharmacists improperly accessed her prescription history. Hinchy had once dated the pharmacist’s husband and had his child. The pharmacist’s husband was given Hinchy’s Protected Health Information (“PHI”) and he threatened to use that information in a paternity case. Hinchy discovered the unauthorized access after she received a text message from the pharmacist’s husband inquiring about the contraction of a sexually transmitted disease. When Hinchy became aware of the potential that her PHI had been improperly accessed, she contacted the local Walgreens store but was informed they could not track whether records had been accessed. The pharmacist had accessed Hinchy’s information several times without authorization. Hinchy filed suit in Marion County against the pharmacist for negligence and public disclosure of PHI and against Walgreens, as the pharmacist’s employer, alleging that Walgreens was responsible for the wrongful acts of the pharmacist under the doctrine of respondeat superior. In July 2013, a jury found in favor of Hinchy and held Walgreens and the pharmacist liable for $1.4 million in damages.
On appeal, Walgreens focused its challenge on the doctrine of respondeat superior, arguing that the pharmacist was acting outside the scope of her employment. The Court unanimously ruled that the pharmacist had violated “. . .one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client’s ex-boyfriend. . . We are loath to disturb jury verdicts and decline to do so in this case.”
Walgreens is planning to appeal.
This case serves to extend liability to an employer for improper disclosure of PHI by an employee, even when the employee has violated the employer’s HIPAA policies. In order to reduce exposure in view of this ruling, employers should take the following steps:
Adopt comprehensive HIPAA policies and procedures to ensure that PHI is safeguarded.
Train employees on safeguarding PHI.
Document privacy training.
Ensure that staff recognizes their responsibility for protecting PHI.
Document any known violations of HIPAA policies and procedures.
Closely supervise employees having access to PHI.
Immediately investigate complaints of improper access, use or disclosure of PHI.
Adopt a strict disciplinary policy to serve as a deterrent and enforce the policy when violations occur.
Audit and monitor systems to ensure that HIPAA policies and procedures are followed.
A copy of the decision is available here.
Please note that this post is only a brief summary of one issue related to HIPAA breach and steps employers should take in preventing the same. It does not constitute legal advice nor does it establish an attorney/client relationship. Should you have specific questions regarding the above, please contact Earle F. Hites or Benjamin T. Ballou at Hodges and Davis.
Hodges and Davis, P.C. - January 2015