Tag: HIPAA violations

A New Way to Sue Health Care Professionals Using HIPAA?

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.

Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Continue reading…

OCR Imposes $4.3M Penalty for Violation of HIPAA/HITECH Privacy Rule

UNTIL TODAY, many health care providers questioned whether HHS and the Office of Civil Rights (OCR) would ever issue any significant penalties for violations of the HIPAA Privacy Rule. However, will OCR ever be able to collect the penalties.

Today, HHS Office of Civil Rights (OCR) announced a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George’s County, MD for violating the HIPAA Privacy Rule. This is the first ever civil money penalty issued by OCR for a violation of the HIPAA Privacy Rule. It is significant not only because it is the first – but also because of the size of the penalty and the basis for the violation.

OCR issued a Notice of Final Determination on February 4, 2011, outlining the procedure for payment of the $4.3 million civil money penalty. The Notice of Final Determination also indicates that Cignet failed to request a hearing on the matter or reach settlement with OCR. Prior to the issuance of the final notice, OCR had issued a Notice of Proposed Determination on October 20, 2010, which details the basis for the penalty, details the findings of fact, grounds for violation of HIPAA, and calculation of the penalty amount.Continue reading…