High Employer Liability for Employees’ Wrongful Use of Access Privileges to HIPAA Information

Jan 12, 2015 at 04:25 pm by Staff

In 2010, a Walgreens pharmacist accessed the prescription records of her boyfriend's ex-girlfriend, Abigail Hinchy, for the purpose of gaining information related to Hinchy's use of prescription birth control and potential sexually transmitted infection. That pharmacist divulged this information to her boyfriend, who subsequently shared the information obtained with multiple individuals. When Hinchy learned of the improper access and disclosure of her information and contacted Walgreens, she was initially informed that Walgreens was unable to track who had accessed her records through Walgreens' computer system. After Hinchy again contacted Walgreens with further incriminating details regarding the pharmacist, Walgreens issued the pharmacist a written warning and required her to retake a HIPAA training program. Unsatisfied, Hinchy filed suit against both Walgreens and the pharmacist, including claims against Walgreens for negligent training, negligent supervision, negligent retention, negligence/professional malpractice, and liability under the principle of respondeat superior, a legal principle by which an employer may be responsible for the conduct (and misconduct) of its employees within the scope of their employment.

After a four-day trial in July 2013, the jury found in Hinchy's favor and determined that Walgreens and its pharmacist were jointly responsible for $1,440,000.00 in damages. Factors cited in support of this notable verdict amount included the sensitive nature of the information in question, the emotional harm Hinchy claimed she suffered as a result of her information being divulged (resulting in Hinchy beginning to take a stronger antidepressant), and the fact that the information was divulged to several people including Hinchy's father. The significance of this damages amount being not only awarded, but also upheld by both the trial court as well as the appellate court (upon Walgreens' appeal) should not be overlooked - essentially, the jury, trial court, and appellate court all recognized that Walgreens' professional standard of care as a health care provider included a duty of confidentiality, and that Walgreens' breach of such a duty reasonably rendered the company jointly liable for more than $1.4 million, even without any allegation of physical harm or professional testimony supporting Hinchy's claim of emotional harm.

In its appeal, Walgreens argued that the trial court had erred by denying several of Walgreens' dispositive motions. During the course of the trial litigation, Walgreens had filed motions for summary judgment and a directed verdict as to the respondeat superiorclaim, essentially asking the court to dismiss that claim by determining that the pharmacist's misuse of her access to Walgreens' computer system to view Hinchy's information was outside the scope of her employment. The trial court denied these motions, and the Indiana Court of Appeals affirmed the trial court's decisions. Importantly, the Indiana Court of Appeals found that denial of Walgreens' motions was appropriate since much of the pharmacist's conduct (using legitimate access to Walgreens' computer system to view patient prescription history) was of the same general nature as her ordinary job duties and of the same general nature authorized by her employer. Further, the Indiana Court of Appeals noted that the fact that an employee is empowered to commit the tort because of their employment weighs in favor of respondeat superior.

Although the true impact of this case may not be known immediately, the precedent set is undeniably significant. Walgreens was held liable for the wrongful use and disclosure of protected health information by its pharmacist, even though the pharmacist's actions were in direct conflict with and violated Walgreens' well-established policies and procedures addressing confidentiality. Healthcare providers have long been required by HIPAA (as well as other federal and state authorities) to implement policies regarding, and to train their employees on, the use and disclosure of health information. Walgreens Co. v. Hinchyappears to take this responsibility further by establishing that a healthcare provider's compliance with these requirements through implementation of such policies and training their employees accordingly cannot reliably protect the provider from liability for the wrongful actions of its employees.

Simply implementing the required policies and training your staff to comply with such policies may no longer be sufficient. Proper auditing of your employees' access to patient information, coupled with regular monitoring and tracking of such access, should be instituted - not only to facilitate your ability to expediently identify wrongful access and/or misuse of privileges, but also to create a powerful deterrent to employees committing such violations in the first place. As further deterrent, policies and procedures should allow for, if not require, strong discipline such as suspension of access privileges while an employee's potential misuse is being investigated as well as termination when such misuse is evident. Walgreens' written warning and requirement that the pharmacist retake a HIPAA class was likely viewed by Hinchy as nothing more than a "slap on the wrist." Finally, ensure that your policies and procedures sufficiently govern how patient complaints are received, recorded, and responded to. We will never know if Hinchy would have filed her suit had Walgreens handled Hinchy's complaint differently and timely terminated the pharmacist for her wrongful access and disclosure of Hinchy's information. In the end, one of the most effective methods of reducing the risk of finding yourself in a lawsuit similar to Walgreens' is to treat patient complaints in a manner that the patient feels is both satisfactory and expedient.

One Last Take Away

All Covered Entities and Business Associates covered by HIPAA, as well as the Florida Information Protection Act and other applicable Florida medical record confidentiality and privacy laws, should strongly consider obtaining insurance coverage for the defense of cases such as the Hinchy , breaches of patient data, healthcare regulatory investigations, HHS/OCR matters and professional licensure investigations involving alleged breaches of patient medical records and privacy. A variety of policies are available including cyber liability, professional licensure defense, privacy and other types which can provide not only indemnity for damages and even administrative fines and penalties in some cases, but also payment of defense costs such as attorney's fees, breach notification costs, expert witnesses and other associated expenses involved in the defense of civil lawsuits and government investigations/actions. If you have not evaluated your insurance coverage for such matters or contacted your insurance agent about such coverage, please consider doing so as soon as possible.

Mr. Evander and our law firm regularly represent physicians and other licensed health care professionals in the defense of medical malpractice cases, review of their medical malpractice professional liability insurance policies and coverages, and personal counsel matters as well as the review of employment contracts. To contact us regarding such matters please visit our website www.lowehealthlaw.com

Sections: Events

■ Recent News

Digital Editions

August 2022 Digital Edition

View the fullscreen version here