A New Way to Sue Health Care Professionals Using HIPAA?

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.

Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Mr. Eggeson, who specializes in privacy law and medical malpractice, in an interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work.”

But, recently, a pathologist reader who is also an attorney wrote me and said the manner in which HIPAA was used in the Walgreens case was actually not novel after all.

The reader also stated he believes there will likely be a lot more of these HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realize pharmacies, hospitals, and other health organizations are vulnerable and have deep pockets.”

After I received the reader’s email, I reached out to Neal Eggeson, the lawyer who successfully argued the Walgreens case and asked him for clarification regarding his case and how he used HIPAA.  He was kind enough to respond.

My reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many thanks to both of them for helping me understand both this case and how HIPAA is being used in civil lawsuits better.

The reader:

“As a multiple personality professional, I have a great amount of respect for HIPAA, its use as a shield for privacy data, and its use as a sword in litigation.  As such, even though the federal HIPAA statutes may not have a specific private right of action, I believe pathologists and other health care providers should recognize that breach of privacy litigation, both health care related and non-health care related, has been around for many years as a private (common law, sometimes statutory law) right of action.

What plaintiffs commonly have been doing in recent years is to use a HIPAA violation as the underlying predicate offense in their breach of privacy, defamation, negligence, breach of fiduciary duty, or other likewise suit.  Since HIPAA does not have a private right of action, common folks like you and I cannot use HIPAA directly in a privacy lawsuit, only the government can sue with HIPAA (civilly and criminally I might mention).  What private citizens have been doing, though, is proving to the court that if a HIPAA violation occurred, then this violation serves as a breach of duty by the health care professional in negligence cases, fiduciary duty cases, and straight forward violation of privacy cases.

…Doe v. Quest in the Missouri Supreme Court, where the court allowed a breach of fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed HIV results without the express permission of Mr. Doe.  This case used overtones of HIPAA and similar state privacy laws, like state HIV privacy laws, as the underlying predicate (underlying wrong) in the suit.  Additionally, I easily found three other cases where HIPAA violations were used as the underlying predicate for private rights of action in state law privacy violation claims.

The first is a federal case (attached) from the Eastern District of Missouri by Judge Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v Washington Univ (E.D. Mo 2011).  In this case, Judge Limbaugh recognized that there was no individual private right of action under HIPAA, but that under Missouri law, HIPAA could be used to provide a standard of care from which to judge a defendant’s actions, and that HIPAA could also be used to establish a legal duty of care.  States vary in their laws, so every state may not agree with Missouri state law, but many do.

Second, in a 2006 state court case (attached), the North Carolina Court of Appeals allowed HIPAA to be used to demonstrate the standard of care element in a psychiatric privacy case where the plaintiff sued for negligent infliction of emotional distress.  If one can use HIPAA as the standard of care and show HIPAA was violated, then the next logical step is that the health care professional breached a duty owed to the plaintiff by violating the standard of care.  After that, all that remains is proving damages.

Finally, in a more recent West Virginia Supreme Court case, a case that cites many underlying cases from other states in a survey of the law, the Court found that HIPAA does not preempt state laws and that HIPAA may be used as the basis of a negligence claim (used as the standard of care to which a breach of duty is judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.

I hope you find this discussion interesting.  HIPAA is a very complex and tricky set of laws and regulations, and I fear litigating HIPAA will become the next new cottage industry for plaintiff attorneys. The more pathologists and physicians know about HIPAA, the better.”

Mr. Eggeson:

Your reader is correct that the lawsuit itself was grounded in common law principles (negligence, professional malpractice, and invasion of privacy).  The reason HIPAA experts are getting excited about the case is that in arguing that Walgreen was negligent and that the pharmacist committed professional malpractice, I used HIPAA to establish the standard of care.  Though it might seem a semantic distinction, it is actually quite important from a legal standpoint; I did not sue Walgreen for violating HIPAA, I sued Walgreen for negligence, but I used HIPAA to prove that Walgreen was negligent.  Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly-accepted standard for privacy protection.

The Pathology Blawgger is a surgical pathologist. He is the author of The Pathology Blawg, where earlier verions of this post originally appeared.

20 replies »

  1. 1/13/2015 I went to Clinic office. Told my provider not to do any further referrals because I was very unhappy with the last one. 1/14/2015 I received a telephone call from a non medical person who lives on the N. side of Ocala,Fl to come and pick up my medical records. They had been faxed to him and he was very unhappy about it, 12 or 13 pages were sent. I called the clinic-they denied it until I told them I had talked to the irate man and had gone and picked up my records. The LPN who had actually done it called me crying. I told her she was a complete moron and no I’m sorry will work for me from her.They tried to barrage me with calls then. On 1/15/2015 I got a call from another actual Dr–they had faxed my records to the office even though on the 13th I told them no referrals and on the 14th said to cease and desist. So-I filed against them with the Florida Medical Board and the State’s Attorney Office AND with HHS in Atlanta. What do I do next? Do you know of an attorney here in Florida that would help me? I am over 65 and I am disabled. Thank you

  2. Long story involving wrongful dismissal. Working for a large national Specialty pharmacy (division of large mail order pharmacy), I was given 33% more responsibility with no additional pay, as a result of a territory remaining unfilled for 10 months. My Regional Director proportatly “managed” the territory and required reporting, but did not. Resulting in the deterioration of the performance of the territory. I was given resposibility, but he wouldn’t give me access to the contacts at the major centers for excellence or the area pharmaceutical partners. I later found out that one of the large centers was not doing business with our company except on an as needed basis as a result of a violation of their patients privacy. A co–worker had obtained a list of names of patients managed by our company on behalf of the hospitals program (mind you only for dispensing and tracking and pass through medicine costs), these were not “our” patients, they were the hospital programs patients. This person, gave the list to a pharmaceutical rep to invite them to a dinner program for their new drug. My Regional DIrector was made aware of it and swept it under the rug, did nothing!

  3. Naomi,
    I’d send a letter to Target home office legal department outlining the facts and demand an apology and that this Tech be fired. Also, the Pharmaict in CHARGE of the techs, and should be notified too. Because this guy’s big mouth needs to be stopped immediately. Then, I’d file a HIPPA complaint at the Federal and State level. I too, had to take that medicine used for Herpes for my cold sores…that I had due to a major vitamin defeciency! I laughed as I read the “intended use”….and I joke about having to take Herpe medicine for major cold sores. Cold sores are the herpe virus! So don’t fret, more people than you think, realize this! On the legal side–no MAJOR damages have really occurred. You have not been fired or hospitalized due to stress etc. So, I can’t see anyone even taking this case. BUT again, getting this tech fired or atleast in trouble may hopefully keep him from blabbering info all over. Notify the COMPANY and the PHARMASICT at once! This is probably just one of those things that has been handled poorly and you have suffered terriably…but nothing concrete that the courts are going to pay you for. Besides, you may have a hard time getting the people he blabbed to , to testify for you. Sorry this happened to you ….good luck!

  4. I used to take the suppressant drug “Acyclovir”, commonly used for herpes. The young male pharmacy tech at Target who always fills my prescriptions has a friend who recently worked a seasonal position at my company. This pharmacy tech told his friend that I was taking that medication and was infected.. and that friend then told everyone at my job. I am feeling absolutely violated and ashamed. Is this grounds for a lawsuit against Target? This breach of confidentiality has directly effected my employment and caused me great emotional damage. The only way I can hope to prove that he did it is by word of mouth by a few witnesses. What should I do??

  5. It is disgusting how the HIPAA law really does not protect individuals. For example it is a rule that medical providers will allow the patient access to their medical records however it is rare that they do. You cannot sue to enforce HIPAA. If the HHS investigates your claim, the maximum penalty is $100. Unless your state has their own law, you do not have a right to sue for the record in court. Louisiana does have such a law but the damages are only attorney’s fees and court costs and first you must make the demand by certified mail (and I advise with return receipt.)
    I believe that there should be rights to civil action at the federal level. Their should also be penalties for each day that the violation is not corrected in addition to an initial baseline damage. In Louisiana, failure to allow access to public records can get you $100 per day in damages. Nothing for your own medical records.

  6. Question (as I sit in hospital recovering):
    This morning as i checked in for a procedure the admittance desk took my other than me contact person. I gave it and said that person was only to be called in the event of an emergency and in fact did not know i was at the hospital and i intended it to stay that way, barring complications.

    She looked surprised and asked me, again, if she can call her to inform her of my condition after surgery. I, again, said ”no”. There were two other nurses standing behind her listening to our conversation, also. The one taking my information said she would write it on the intake form and did so
    in front of me.

    Once in pre-op waiting, I told both the surgeon and nurse to not contact that person unless there was an emergency. They acknowledge my wish.

    After surgery, in my room I received a text from my contact person saying how shocked she was I had gone in and had surgery without her knowing…on…and…on…and…on. It was an extremely stressful situation.

    I asked how this person found out and she said she was called by the hospital staff with the information about my procedure, condition, the hospital, and the room I was currently recovering in.

    I was stressed most of the day fearing a visit from this person.

    What can I and/or should I do about this breach of privacy.

  7. Kat: You need a medical malpractice attorney. The internet can provide you with many referrals. Just type in “medical malpractice pharmacy AV Rated attorneys” and the largest city you live near.

    AV Ratings are provided by other attorneys who either know or have dealt with the attorney in litigation and non-litigation settings.

    In consulting with the attorney(s), you can also ask whether the conduct was criminal. It may well be depending on the State laws but it is always best to get a professional opinion before proceeding. The civil action may or may not be taken on a contingency which will be explained by the attorney(s) which you interview.

    Keep in mind that you are hiring the attorney who must work for you. Attorneys and law offices cherry-pick their cases carefully and for good reason: there are two sides to every story and clients do not always recall important information. This may be worth pursuing but you will not retire off any remunerations received.

  8. You actually make it seem really easy along with your presentation however I in finding this matter to be really something which I feel I’d never
    understand. It kind of feels too complicated and extremely broad for me.
    I am having a look forward to your subsequent publish, I will try to get the hold of

  9. What kind of lawyer do I need I called the bar association and they only had one lawyer to give me and said she wasn’t sure if he’s ever really taken in a case like this. I’m willing to drive hrs away to Indy Chicago wherever needed in order to get an attorney who knows what he’s doing and can take this case on with confidence and win!

  10. I have been taking my medications to a CVS deliberately for at least a year now because of the fact I live in a small town and people see your picking up medication and you’ll be the talk of the town so to prevent that I always filled at least a 30 minute drive to a bigger town or city to prevent that. Well the first week of May my mom was driving my car and I was passenger because my 9 month old son was in the back and I was feeding him. So we go to the second lane drive up where you send the tube the ought the pipes to get to and from. Well me and my mom were both getting prescriptions filled so they tell me my cost u give them a credit card get it back to sign send back and next should be my prescription coming through the tunnel so were sitting there for about 5 minutes and the lady asks if we needed anything else and my moms like yea my daughters script was never given after she signed the receipt for using her card, so immediately without thinking she made a statement along the lines of like oh no I hope I didn’t send it on the wrong tube so she gets the pharmacist over by the window n we see them talk for maybe a minute and she comes on and asks us to give them 15 minutes to look around or come up w a story, I’m not sure,”. I know 15 minutes lady she had a whole new attitude about the situation was absolutely certain it was sent through and basically they’re going to have someone come make sure the pipes aren’t clogged but if so n my scripts in there they’ll call me, obviously in the 15 minutes in between I know another car came in the same lane and used the sme tunnel and there was no clog and they were just wasting their time and mine. End result was I could file a police report w an officer at the store and as long as he was present we could all watch the video because the pharmacist was adamant it was on tape n shown given to our tunnel and you can see my mom grab the bAg and all. So we get there make the police report tell the pharmacist we’ve done what we were told we have an officer and we’d like to watch the tape well it just so happened within those few short hours the head pharmacist was gone or out of town I’m not exactly sure what the excuse was because by that point I was pretty much seeing red. 2 days later receive a call from a male who was somehow involved in dealing with this and tells me he can send me a gift certificate for the $10 I paid for the script at that point I knew I wasn’t getting my $150 office visit medication that month so gave him my address and got off the phone, guess what it’s August 4th,2014 and never got the 10 Giftcard. That’s just the tip of the story this is where the illegal issues and me wanting to sue for numerous reasons. It ends up there was a tech there that day and according to what I was told she said “the entire pharmacy was discussing it for like days and when she heard someone say my ne and medications she realized I’m married to her first cousin. I had absolutely no idea. I just had a baby at the end of 2013 and my husband is a big believer in you don’t need medication for anything it’s all in your head, which I’m the opposite I’m open minded and understand people do have feeling or experience things that other people never have and in turn they find it hard to believe or my husband things I’m just being weak. After my son was born I thought about it and decided I am an adult, he doesn’t need to understand and u know I need certain medications so I decided since he’ll never accept it I was just going to go and get my medicine and jeep it to myself and was doing that well until about 2 or 4 weeks ago, when I get home and my husband tells me his cousin works there, the way he understood the story CVS called the police not me, so I look like a lying criminal. It went from her to her older brother, my husband cousin who he was close with growing up toy husband as well as my husbands uncle and my in laws. I feel extremely embarrassed and just violated and I have to do something about this. My husband and I were already a little rocky fighting much more than normal and when that happened. He told me I’m never going to change or be honest with him and without honest you don’t have a marriage and he literally went to a lawyer filed for divorce and my papers came today. So because the law was broken in many ways l, my privacy was invited and now my family including my 11 month old son are all falling apart and affected because of this I feel I have to have a lawsuit somewhere in all of this mess I just don’t know who to talk to and how to get my answers like do I have a lawsuit possibility and if so how can I get this going and in motion! Any help would be appreciated. You can contact my email at bnsutton25@gmail.com or give me a text or call at 1-219-713-9394 My names Brittany. Thanks!

  11. I also was contacted via text by a pharmacist that “hit” on me while picking up my prescription. He went as far as saying he’d remembered me when I picked up my prescriptions at another location (same company) he knew where I lived and said “I never gave him the time of day before?” After leaving the pharmacy somewhat in shock, I received a text asking me to send him pictures of me!! He knew my new address (he said he needed it to update my record) my home had been broken into shortly afterwards, while still receiving texts from this creep! I moved from the state as I was so freaked out I couldn’t function. My anxiety became much worse needless to say. And, yesterday I discovered this same pharmacist “hit” on a friend of mine’s wife sending pictures of his private parts and having sex with her while he was on duty at work!! What can a single woman do to protect against this horrible violation? It’s changed my life to the point I have difficulty functioning in public and become very distrustful of everyone…What a horrible violation..I have no idea what else this criminal in a “pharmacist’s coat” has done to me (regarding my personal medical records) after I told him not to contact me!! He stated not to tell anyone as he “could lose his job!” after seeing the pictures he sent to ironically, another woman I personally knew I’m horrified and shocked..I believe this man is dangerous and is still practicing as a pharmacist? Where do we turn? To perhaps save other women from this horrible violation of privacy, let alone what it’s done to me psychologically? I believe this man is dangerous!! How can I get someone to help before something worse happens?

  12. Yikes; Defiantly a hippa violation. Not to mention a little more than creepy.

  13. Here is a question – What do you do when a pharmacy technician accesses your personal and private information to send you a text message? I do not have any type of relationship with this person, only the occasional hello when picking up my RX. Yesterday I received text messages from him telling me how attracted to me his is. I’m completely freaked out.

  14. 3 /10/2010 I had a penal implant at JRMC Pine Bluff ar. A nurse working for a contract co. [hurst review brookhaven MS] went to JMRC TO teach student nurses at that location. She wasn’t an employee of JMRC. Some how she got in my medical records, only the hospital knows when she was there. I was contacted by my brother in law and sister in 1/06/2014 is when I first new of it. The nurse call them an told them an who else she told I would like to know. I need some names of attys. that take cases like that.

  15. I’ve been to a hospital where my ex’s mother works and she breached my daughter’s PHI. When I complained of this and other issues that accrued at the hospital the lady was fired shortly later. My thing is my ill one was never her patient in any way and breached her phi several times. Then the lady made allegations on me to other officials but nothing happened and I was cleared by them. But what can I do or what should I do.

  16. This million dollar lawsuit was mainly against the global business entity called The Walgreens Company and an overzealous individual that violated one of the most sacred values Healthcare Professionals are entrusted with. A patient’s medical history and information is a trust between Medical Professionals were it to become devalued by instances as this, healthcare and patient care as a whole would collapse. It is happened to be that in this case, the culprit was a Walgreen’s Pharmacist, but having been one myself in the past; I can tell you that if the culprit could have have just as easily been the Pharmacy Technician since they are granted they same access to patient computer records. So, does the guilt of the violation fall on the Company, The Pharmacist, or the individual that committed these actions that just happened to have been the pharmacist ?

  17. These multimillion dollar awards come out of the hides of the healthcare worker and when are the politicians going to stop it? (When the trial lawyers stop donating millions to their campaigns.)

  18. Protecting PHI is crucial as we all know. For individuals/organizations who collect patient data with online surveys, SurveyMonkey now offers HIPAA-compliant surveys. After you sign one of their Business Associate Agreements, they will help you meet your HIPAA obligations with all of the physical, tech and administrative requirements that are expected for HIPAA-covered entities.

    More info from their blog: http://blog.surveymonkey.com/blog/2013/09/10/hipaa-compliant/

  19. The moral is simple.

    Pharmacies and other Health Care Professionals need to remember that any medical records they have access to are there to help them help that patient.

    They are not intended for light reading, nor are they the proper subject for discussion with others.

    If they but keep that in mind they need not fear lawsuits for privacy violations.