As most providers know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a comprehensive set of laws requiring certain protections to patient-identifiable health information. Most states have similar laws that require healthcare professionals to hold patient health information in the strictest of confidence. For example, Indiana law provides that a pharmacist shall hold in strictest confidence all prescriptions, drug orders, records, and patient information. Indiana Code § 25-26-13-15(a). HIPAA does not contain a private right of action, meaning that a plaintiff cannot directly sue a healthcare provider for violating HIPAA. Rather, the federal government is the only party entitled to enforce violations of HIPAA.
While HIPAA cannot be enforced by a private citizen, HIPAA has emerged as the basis to set the standard of care in which a provider should maintain patient information. An Indiana jury recently returned a verdict against a pharmacy in the amount of $1.4 million dollars arising from negligence of its pharmacist in handling a patient’s prescription profile.
In Walgreen Co. v. Abigail Hinchy, 21 N.E.3rd 99 (Ind.Ct.App.2014), affirmed on rehearing at 25 N.E.3rd 748 (Ind.Ct.App.2015), the Indiana Court of Appeals affirmed a jury verdict entered against Walgreen and its pharmacist in the amount of $1.4 million. The Walgreen pharmacist accessed Hinchy’s prescription profile for personal purposes and allegedly shared the information with another. Hinchy argued that HIPAA in conjunction with Indiana law set the applicable standard of care on when a pharmacist was permitted to access a patient’s records and for what purpose. Here, the pharmacist admitted that she accessed the patient’s prescription profile for personal purposes, but denied sharing the information. The Court held that even if some of the actions of the pharmacist were unauthorized by Walgreen, since the pharmacist was empowered to commit the tort by reason of her employment and her conduct was incidental to authorized conduct by Walgreen, the question of vicarious liability would be sent to the jury. The jury found that the pharmacist violated the applicable standard of care, set by HIPAA and Indiana law, by accessing Hinchy’s prescription profile, and then by providing a copy of the prescription profile to another. Plaintiff claimed emotional distress arising from the unauthorized disclosure. Without expert medical testimony, Hinchy testified that she endured emotional distress, sought counseling, and took a higher dose of Cymbalta, relating to the distress that the unauthorized access and disclosure of her prescription profile caused her. The jury entered a verdict against Walgreen in the amount of $1.4 million arising from the conduct of its pharmacist.
This case demonstrates a liability risk to a corporate healthcare provider within the framework of a garden-variety medical negligence suit where the ultimate conduct is unrelated to the promotion of health. Under the framework approved by the Walgreen Court, we will likely encounter a growing number of claims for intentional privacy intrusion, framed in the context of medical negligence. With the standard of vicarious liability permitted to proceed to the jury, it is important to consider this in setting premiums for corporate healthcare providers, even where the providers affiliated with the corporation have independent liability insurance policies.
If you would like a copy of this opinion, or have questions regarding this case, or have any other questions relating to liability of healthcare providers, please contact a member of our Medical Malpractice Defense or Health Care Practice Groups.
