Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees. While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.
The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.
The ex did not appreciate this, and told the Walgreens pharmacy about what happened. At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.
Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach. The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.
As I said above, it may not sound like a big deal, but it potentially is.
Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.
Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.