Dedicated to providing the latest
HIPAA compliance news

Indiana Court Upholds $1.44M HIPAA Privacy Breach Award

Share this article on:

Walgreen Co. has lost an appeal against the $1.44 million award for damages it was ordered to pay after a HIPAA Privacy Rule breach resulted in confidential patient PHI being shared with unauthorized individuals.

This is the first time that the action of an employee has resulted in a healthcare provider being held liable for a violation of the Health Insurance Portability and Accountability Act. The Indiana appellate court decision could well set a legal precedent in cases where employees have violated HIPAA regulations and sensitive patient data has been shared with third parties.

Walgreen Co. v. Abigail E. Hinchy

In July 2013, a Marion Superior Court jury awarded $1.44M in damages to Abigail Hinchy after a Walgreen pharmacist shared PHI with a third party about a client who had dated her husband.

A pharmacist at Walgreens at 6269 W. 38th St. in Indianapolis improperly accessed Hinchy’s prescription history. Hinchy had once dated her husband and had his child and the pharmacist knowingly accessed her prescription history and personal information and divulged that information. The pharmacist’s husband was given Abigail’s PHI and he threatened to use that information in a paternity case. He also subsequently shared the information he had gained with at least three other people.

When Abigail Hinchy learned of what had happened she made a complaint to Walgreen. They spoke to the pharmacist who admitted accessing the files for personal reasons and she received a written warning for unethical actions and was made to retake a training program on HIPAA rules and regulations.

The court unanimously ruled that the pharmacist had violated “one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client’s ex-boyfriend.” The jury held Walgreen Co. liable.

Walgreen Co. has paid the damages although the funds are being held by the courts pending the outcome of the appeals process. They will not be released until the case has been finally resolved.

Legal Precedent Could See Employers Liable for HIPAA Violations by Employees

The appellate judges heard the appeal in which Walgreen believed the court should have released it from liability, however the previous court ruling was upheld and unanimously agreed that “the trial court properly permitted the jury to consider Walgreen’s liability.” Walgreen Co. is permitted to appeal and will be exercising that right.

Legal experts are considering the implications of the ruling. The ruling could well set a legal precedent and the case may well be cited in future lawsuits where employees have violated HIPAA regulations; even if the employer has not as there is vicarious liability on the part of the employer.

In the appeal, Walgreen Co. is likely to focus on the extent to which they can be held liable for the actions of an employee when the company had not acted in a negligent manner.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On