Tech

A New Way to Sue Health Care Professionals Using HIPAA?

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.

Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.


Mr. Eggeson, who specializes in privacy law and medical malpractice, in an interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work.”

But, recently, a pathologist reader who is also an attorney wrote me and said the manner in which HIPAA was used in the Walgreens case was actually not novel after all.

The reader also stated he believes there will likely be a lot more of these HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realize pharmacies, hospitals, and other health organizations are vulnerable and have deep pockets.”

After I received the reader’s email, I reached out to Neal Eggeson, the lawyer who successfully argued the Walgreens case and asked him for clarification regarding his case and how he used HIPAA.  He was kind enough to respond.

My reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many thanks to both of them for helping me understand both this case and how HIPAA is being used in civil lawsuits better.

The reader:

“As a multiple personality professional, I have a great amount of respect for HIPAA, its use as a shield for privacy data, and its use as a sword in litigation.  As such, even though the federal HIPAA statutes may not have a specific private right of action, I believe pathologists and other health care providers should recognize that breach of privacy litigation, both health care related and non-health care related, has been around for many years as a private (common law, sometimes statutory law) right of action.

What plaintiffs commonly have been doing in recent years is to use a HIPAA violation as the underlying predicate offense in their breach of privacy, defamation, negligence, breach of fiduciary duty, or other likewise suit.  Since HIPAA does not have a private right of action, common folks like you and I cannot use HIPAA directly in a privacy lawsuit, only the government can sue with HIPAA (civilly and criminally I might mention).  What private citizens have been doing, though, is proving to the court that if a HIPAA violation occurred, then this violation serves as a breach of duty by the health care professional in negligence cases, fiduciary duty cases, and straight forward violation of privacy cases.

…Doe v. Quest in the Missouri Supreme Court, where the court allowed a breach of fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed HIV results without the express permission of Mr. Doe.  This case used overtones of HIPAA and similar state privacy laws, like state HIV privacy laws, as the underlying predicate (underlying wrong) in the suit.  Additionally, I easily found three other cases where HIPAA violations were used as the underlying predicate for private rights of action in state law privacy violation claims.

The first is a federal case (attached) from the Eastern District of Missouri by Judge Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v Washington Univ (E.D. Mo 2011).  In this case, Judge Limbaugh recognized that there was no individual private right of action under HIPAA, but that under Missouri law, HIPAA could be used to provide a standard of care from which to judge a defendant’s actions, and that HIPAA could also be used to establish a legal duty of care.  States vary in their laws, so every state may not agree with Missouri state law, but many do.

Second, in a 2006 state court case (attached), the North Carolina Court of Appeals allowed HIPAA to be used to demonstrate the standard of care element in a psychiatric privacy case where the plaintiff sued for negligent infliction of emotional distress.  If one can use HIPAA as the standard of care and show HIPAA was violated, then the next logical step is that the health care professional breached a duty owed to the plaintiff by violating the standard of care.  After that, all that remains is proving damages.

Finally, in a more recent West Virginia Supreme Court case, a case that cites many underlying cases from other states in a survey of the law, the Court found that HIPAA does not preempt state laws and that HIPAA may be used as the basis of a negligence claim (used as the standard of care to which a breach of duty is judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.

I hope you find this discussion interesting.  HIPAA is a very complex and tricky set of laws and regulations, and I fear litigating HIPAA will become the next new cottage industry for plaintiff attorneys. The more pathologists and physicians know about HIPAA, the better.”


Mr. Eggeson:

Your reader is correct that the lawsuit itself was grounded in common law principles (negligence, professional malpractice, and invasion of privacy).  The reason HIPAA experts are getting excited about the case is that in arguing that Walgreen was negligent and that the pharmacist committed professional malpractice, I used HIPAA to establish the standard of care.  Though it might seem a semantic distinction, it is actually quite important from a legal standpoint; I did not sue Walgreen for violating HIPAA, I sued Walgreen for negligence, but I used HIPAA to prove that Walgreen was negligent.  Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly-accepted standard for privacy protection.

The Pathology Blawgger is a surgical pathologist. He is the author of The Pathology Blawg, where earlier verions of this post originally appeared.

Livongo’s Post Ad Banner 728*90

20
Leave a Reply

15 Comment threads
5 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
19 Comment authors
eVisitJudi RoddisLeslieTerriNaomi Recent comment authors
newest oldest most voted
Judi Roddis
Guest
Judi Roddis

1/13/2015 I went to Clinic office. Told my provider not to do any further referrals because I was very unhappy with the last one. 1/14/2015 I received a telephone call from a non medical person who lives on the N. side of Ocala,Fl to come and pick up my medical records. They had been faxed to him and he was very unhappy about it, 12 or 13 pages were sent. I called the clinic-they denied it until I told them I had talked to the irate man and had gone and picked up my records. The LPN who had actually… Read more »

Leslie
Guest
Leslie

Long story involving wrongful dismissal. Working for a large national Specialty pharmacy (division of large mail order pharmacy), I was given 33% more responsibility with no additional pay, as a result of a territory remaining unfilled for 10 months. My Regional Director proportatly “managed” the territory and required reporting, but did not. Resulting in the deterioration of the performance of the territory. I was given resposibility, but he wouldn’t give me access to the contacts at the major centers for excellence or the area pharmaceutical partners. I later found out that one of the large centers was not doing business… Read more »

Naomi
Guest
Naomi

I used to take the suppressant drug “Acyclovir”, commonly used for herpes. The young male pharmacy tech at Target who always fills my prescriptions has a friend who recently worked a seasonal position at my company. This pharmacy tech told his friend that I was taking that medication and was infected.. and that friend then told everyone at my job. I am feeling absolutely violated and ashamed. Is this grounds for a lawsuit against Target? This breach of confidentiality has directly effected my employment and caused me great emotional damage. The only way I can hope to prove that he… Read more »

Terri
Guest
Terri

Naomi, I’d send a letter to Target home office legal department outlining the facts and demand an apology and that this Tech be fired. Also, the Pharmaict in CHARGE of the techs, and should be notified too. Because this guy’s big mouth needs to be stopped immediately. Then, I’d file a HIPPA complaint at the Federal and State level. I too, had to take that medicine used for Herpes for my cold sores…that I had due to a major vitamin defeciency! I laughed as I read the “intended use”….and I joke about having to take Herpe medicine for major cold… Read more »

Dale
Guest
Dale

It is disgusting how the HIPAA law really does not protect individuals. For example it is a rule that medical providers will allow the patient access to their medical records however it is rare that they do. You cannot sue to enforce HIPAA. If the HHS investigates your claim, the maximum penalty is $100. Unless your state has their own law, you do not have a right to sue for the record in court. Louisiana does have such a law but the damages are only attorney’s fees and court costs and first you must make the demand by certified mail… Read more »

mick
Guest
mick

Question (as I sit in hospital recovering): This morning as i checked in for a procedure the admittance desk took my other than me contact person. I gave it and said that person was only to be called in the event of an emergency and in fact did not know i was at the hospital and i intended it to stay that way, barring complications. She looked surprised and asked me, again, if she can call her to inform her of my condition after surgery. I, again, said ”no”. There were two other nurses standing behind her listening to our… Read more »

Consuelo
Guest

You actually make it seem really easy along with your presentation however I in finding this matter to be really something which I feel I’d never
understand. It kind of feels too complicated and extremely broad for me.
I am having a look forward to your subsequent publish, I will try to get the hold of
it!

Brittany Williams
Guest

What kind of lawyer do I need I called the bar association and they only had one lawyer to give me and said she wasn’t sure if he’s ever really taken in a case like this. I’m willing to drive hrs away to Indy Chicago wherever needed in order to get an attorney who knows what he’s doing and can take this case on with confidence and win!

Brittany Williams
Guest

I have been taking my medications to a CVS deliberately for at least a year now because of the fact I live in a small town and people see your picking up medication and you’ll be the talk of the town so to prevent that I always filled at least a 30 minute drive to a bigger town or city to prevent that. Well the first week of May my mom was driving my car and I was passenger because my 9 month old son was in the back and I was feeding him. So we go to the second… Read more »

kat
Guest
kat

I also was contacted via text by a pharmacist that “hit” on me while picking up my prescription. He went as far as saying he’d remembered me when I picked up my prescriptions at another location (same company) he knew where I lived and said “I never gave him the time of day before?” After leaving the pharmacy somewhat in shock, I received a text asking me to send him pictures of me!! He knew my new address (he said he needed it to update my record) my home had been broken into shortly afterwards, while still receiving texts from… Read more »

Michael
Guest
Michael

Kat: You need a medical malpractice attorney. The internet can provide you with many referrals. Just type in “medical malpractice pharmacy AV Rated attorneys” and the largest city you live near. AV Ratings are provided by other attorneys who either know or have dealt with the attorney in litigation and non-litigation settings. In consulting with the attorney(s), you can also ask whether the conduct was criminal. It may well be depending on the State laws but it is always best to get a professional opinion before proceeding. The civil action may or may not be taken on a contingency which… Read more »

SA
Guest
SA

Here is a question – What do you do when a pharmacy technician accesses your personal and private information to send you a text message? I do not have any type of relationship with this person, only the occasional hello when picking up my RX. Yesterday I received text messages from him telling me how attracted to me his is. I’m completely freaked out.

Angelia
Guest
Angelia

Yikes; Defiantly a hippa violation. Not to mention a little more than creepy.

eVisit
Member

Yes, clear HIPAA violation.

FRED KING
Guest

3 /10/2010 I had a penal implant at JRMC Pine Bluff ar. A nurse working for a contract co. [hurst review brookhaven MS] went to JMRC TO teach student nurses at that location. She wasn’t an employee of JMRC. Some how she got in my medical records, only the hospital knows when she was there. I was contacted by my brother in law and sister in 1/06/2014 is when I first new of it. The nurse call them an told them an who else she told I would like to know. I need some names of attys. that take cases… Read more »

Bonnie
Guest
Bonnie

I’ve been to a hospital where my ex’s mother works and she breached my daughter’s PHI. When I complained of this and other issues that accrued at the hospital the lady was fired shortly later. My thing is my ill one was never her patient in any way and breached her phi several times. Then the lady made allegations on me to other officials but nothing happened and I was cleared by them. But what can I do or what should I do.

volcanikred
Guest
volcanikred

These multimillion dollar awards come out of the hides of the healthcare worker and when are the politicians going to stop it? (When the trial lawyers stop donating millions to their campaigns.)

Javier Silber, PharmD
Guest
Javier Silber, PharmD

This million dollar lawsuit was mainly against the global business entity called The Walgreens Company and an overzealous individual that violated one of the most sacred values Healthcare Professionals are entrusted with. A patient’s medical history and information is a trust between Medical Professionals were it to become devalued by instances as this, healthcare and patient care as a whole would collapse. It is happened to be that in this case, the culprit was a Walgreen’s Pharmacist, but having been one myself in the past; I can tell you that if the culprit could have have just as easily been… Read more »

Kayte Korwitts
Guest

Protecting PHI is crucial as we all know. For individuals/organizations who collect patient data with online surveys, SurveyMonkey now offers HIPAA-compliant surveys. After you sign one of their Business Associate Agreements, they will help you meet your HIPAA obligations with all of the physical, tech and administrative requirements that are expected for HIPAA-covered entities.

More info from their blog: http://blog.surveymonkey.com/blog/2013/09/10/hipaa-compliant/

Cassandra
Guest
Cassandra

The moral is simple.

Pharmacies and other Health Care Professionals need to remember that any medical records they have access to are there to help them help that patient.

They are not intended for light reading, nor are they the proper subject for discussion with others.

If they but keep that in mind they need not fear lawsuits for privacy violations.