Employer Liability for HIPAA Violations: A New Day Dawning?

The Indiana Court of Appeals recently issued an opinion in the case of Walgreen Co. vs Hinchy that could permanently alter the landscape for employer liability for HIPAA violations committed by employees.  Health care providers should be aware of this case and take actions to limit their exposure to this type of liability.

Background

In 2010, a Walgreen Co. (“Walgreens”) pharmacist utilized her information access rights to review the prescription records for her current boyfriend’s ex-girlfriend.  The purpose for accessing the records was to obtain information about the ex-girlfriend’s use of prescriptions for birth control and a sexually transmitted disease.  Evidence indicated that the pharmacist also shared the information she found with her boyfriend, who shared it with at least three other individuals.  When the ex-girlfriend became aware of the potential that her information had been improperly accessed, she contacted a local Walgreens pharmacy but was informed by a person at that store that they could not track whether her records had been accessed.

When the ex-girlfriend eventually learned of her ex-boyfriend’s relationship with a Walgreens pharmacist, she again contacted Walgreens, who, after investigation, confirmed that the pharmacist had viewed the information for personal purposes in violation of HIPAA.  Walgreens disciplined the pharmacist with a written warning and by requiring her to take additional online HIPAA training.  The ex-girlfriend subsequently filed suit against both the pharmacist and Walgreens in Marion County, Indiana, alleging claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, invasion of privacy/intrusion, negligent training, negligent supervision, negligent retention and negligence/professional malpractice.  In July 2013, a jury found in favor of the ex-girlfriend and held Walgreens and the pharmacist liable for $1.4 million in damages.  Walgreens appealed that verdict to the Indiana Court of Appeals.

The Appellate Court Decision

The Indiana Court of Appeals affirmed the trial court’s verdict, holding that the trial court did not commit reversible error in its various rulings and that the damages award was not excessive.  The underlying theory of liability for the jury verdict was not clear to the appellate court, but the court noted that sufficient evidence was presented to the jury to justify a verdict based on negligence by virtue of professional malpractice of a pharmacist.  Essentially, the court recognized that pharmacists owe their customers a duty of confidentiality and that a breach of that duty can cause damages to the customer.  Whether the pharmacist’s breach of that duty can also be attributed to Walgreens became the focus of the appellate court’s opinion.

Walgreens alleged on appeal that the trial court should not have sent the case to the jury for claims based on respondeat superior because the employee was acting outside the scope of her employment when she inappropriately accessed the records.  Respondeat superior is the doctrine regarding when an employer will be held liable for the acts of its employees.  Walgreens had argued that the trial court should have determined as a matter of law that Walgreens was not liable for the actions of the pharmacist because those actions were prohibited by Walgreens policy and inconsistent with the HIPAA training Walgreens provided the pharmacist and thus outside the scope of her employment.

The appellate court determined that whether the pharmacist’s conduct was within the scope of her employment was a proper question for the jury since her actions “were of the same general nature as those authorized, or incidental to the actions that were authorized by Walgreen.”  According to the court, since the pharmacist had legitimate access to patient prescription histories on the Walgreens computer system, her misuse of that access for personal reasons remained within the scope of her employment.  The appellate court thus affirmed the jury verdict based upon Walgreens’ respondeat superior liability for the negligence/professional malpractice of the pharmacist.

The appellate court also upheld the amount of the jury verdict, holding that there was sufficient evidence in the record to support holding Walgreens and the pharmacist liable for $1.4 million in damages.  Factors cited by the appellate court in support of the damage amount included:

• The ex-girlfriend’s records included sensitive information about her use of birth control and treatment for a sexually transmitted disease;
• The information became known to several people, including the ex-girlfriend’s father; and
• The ex-girlfriend testified that she experienced emotional harm that affected her ability to care for her child and caused her to begin taking a more expensive antidepressant.

Walgreens argued that the damages were excessive and based on improper factors because the ex-girlfriend did not have any physical injuries or conditions resulting from the breach, she did not lose any wages as a result of the breach, and she did not offer any professional testimony supporting her claimed emotional harm.  The appellate court refused to reweigh the evidence and change the damage amount awarded by the jury.

Impact

In upholding the verdict against Walgreens, the appellate court established some precedent that should get the attention of health care providers.  The case is important in a few ways.  First, it recognizes that a health care provider in Indiana may be held liable for monetary damages arising from a wrongful disclosure of patient information on a professional malpractice theory.  In essence, the court is recognizing the duty of confidentiality as part of the professional standard of care for health care providers.  Second, the court is permitting such liability even in the absence of physical harm or professional testimony to support claimed emotional harm.  This could materially lower the bar for proving damages in these types of cases.

Third, the case establishes that a health care provider could still be liable for a wrongful use or disclosure by an employee even where the employee’s actions directly contravene the provider’s established and implemented confidentiality policies.  Health care providers are required by HIPAA and other authorities to have policies governing the use and disclosure of health information and to train their workforce members to follow those policies.  This case makes it clear that compliance with HIPAA and those other authorities is not sufficient to avoid liability to individuals for the wrongful actions of employees.

Recommendations

In order for health care providers to reduce the likelihood of liability to patients for the wrongful use or disclosure of health information by employees, providers should consider the following recommendations:

1. Ensure that the provider has strict policies forbidding the use or disclosure of patient information for non-work-related purposes and enforce those policies consistently when potential issues arise.  If liability is possible where policies and procedures already are in place, then the failure to have clear policies in this regard will make proving such a case that much easier.
2. Regularly monitor and track access to patient information by workforce members.  Providers should have a process in place for auditing workforce access to patient information that proactively seeks to identify and prevent the potential inappropriate use and disclosure of such information.  Audit processes can serve as an effective deterrent for employees considering such activity.
3. When an instance of potential wrongful use or disclosure is discovered, the provider’s process should require the immediate loss or suspension of the individual’s access to patient information until the issue can be investigated and resolved.
4. Have personnel policies that allow for the imposition of significant disciplinary action, including termination, when an employee uses his or her legitimate access to health information for personal purposes.  Meaningful and decisive disciplinary action might help reduce the likelihood that an individual will bring an action against the provider for the actions of that employee.   The potential for such disciplinary action also can serve as an effective deterrent to employees considering misusing health information.
5. Be sure that policies and procedures are in place governing the receipt of patient complaints and that all appropriate workforce members are trained on those procedures.  How patient complaints are handled from the beginning can be a material factor in a given individual’s decision whether to sue the provider for a wrongful use or disclosure.

The appellate court decision can be found on the Indiana judiciary website here.

If you need additional information about this matter, please contact:

• Mark J. Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com;
• Mary Kate Liffrig at (317) 977-1455 or mliffrig@wp.hallrender.com; or
• Your regular Hall Render attorney.

Please visit the Hall Render Blog at hallrender.com/resources/blog  for more information on topics related to health care law.