Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees. While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.
The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.
The ex did not appreciate this, and told the Walgreens pharmacy about what happened. At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.
Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach. The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.
As I said above, it may not sound like a big deal, but it potentially is.
Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.
Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.
Mr. Eggeson, who specializes in privacy law and medical malpractice, in an interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work.”
But, recently, a pathologist reader who is also an attorney wrote me and said the manner in which HIPAA was used in the Walgreens case was actually not novel after all.
The reader also stated he believes there will likely be a lot more of these HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realize pharmacies, hospitals, and other health organizations are vulnerable and have deep pockets.”
After I received the reader’s email, I reached out to Neal Eggeson, the lawyer who successfully argued the Walgreens case and asked him for clarification regarding his case and how he used HIPAA. He was kind enough to respond.
My reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many thanks to both of them for helping me understand both this case and how HIPAA is being used in civil lawsuits better.
“As a multiple personality professional, I have a great amount of respect for HIPAA, its use as a shield for privacy data, and its use as a sword in litigation. As such, even though the federal HIPAA statutes may not have a specific private right of action, I believe pathologists and other health care providers should recognize that breach of privacy litigation, both health care related and non-health care related, has been around for many years as a private (common law, sometimes statutory law) right of action.
What plaintiffs commonly have been doing in recent years is to use a HIPAA violation as the underlying predicate offense in their breach of privacy, defamation, negligence, breach of fiduciary duty, or other likewise suit. Since HIPAA does not have a private right of action, common folks like you and I cannot use HIPAA directly in a privacy lawsuit, only the government can sue with HIPAA (civilly and criminally I might mention). What private citizens have been doing, though, is proving to the court that if a HIPAA violation occurred, then this violation serves as a breach of duty by the health care professional in negligence cases, fiduciary duty cases, and straight forward violation of privacy cases.
…Doe v. Quest in the Missouri Supreme Court, where the court allowed a breach of fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed HIV results without the express permission of Mr. Doe. This case used overtones of HIPAA and similar state privacy laws, like state HIV privacy laws, as the underlying predicate (underlying wrong) in the suit. Additionally, I easily found three other cases where HIPAA violations were used as the underlying predicate for private rights of action in state law privacy violation claims.
The first is a federal case (attached) from the Eastern District of Missouri by Judge Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v Washington Univ (E.D. Mo 2011). In this case, Judge Limbaugh recognized that there was no individual private right of action under HIPAA, but that under Missouri law, HIPAA could be used to provide a standard of care from which to judge a defendant’s actions, and that HIPAA could also be used to establish a legal duty of care. States vary in their laws, so every state may not agree with Missouri state law, but many do.
Second, in a 2006 state court case (attached), the North Carolina Court of Appeals allowed HIPAA to be used to demonstrate the standard of care element in a psychiatric privacy case where the plaintiff sued for negligent infliction of emotional distress. If one can use HIPAA as the standard of care and show HIPAA was violated, then the next logical step is that the health care professional breached a duty owed to the plaintiff by violating the standard of care. After that, all that remains is proving damages.
Finally, in a more recent West Virginia Supreme Court case, a case that cites many underlying cases from other states in a survey of the law, the Court found that HIPAA does not preempt state laws and that HIPAA may be used as the basis of a negligence claim (used as the standard of care to which a breach of duty is judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.
I hope you find this discussion interesting. HIPAA is a very complex and tricky set of laws and regulations, and I fear litigating HIPAA will become the next new cottage industry for plaintiff attorneys. The more pathologists and physicians know about HIPAA, the better.”
Your reader is correct that the lawsuit itself was grounded in common law principles (negligence, professional malpractice, and invasion of privacy). The reason HIPAA experts are getting excited about the case is that in arguing that Walgreen was negligent and that the pharmacist committed professional malpractice, I used HIPAA to establish the standard of care. Though it might seem a semantic distinction, it is actually quite important from a legal standpoint; I did not sue Walgreen for violating HIPAA, I sued Walgreen for negligence, but I used HIPAA to prove that Walgreen was negligent. Similarly, I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA to prove that what she did fell below the commonly-accepted standard for privacy protection.
The Pathology Blawgger is a surgical pathologist. He is the author of The Pathology Blawg, where earlier verions of this post originally appeared.