Indiana Court Upholds $1.44M HIPAA Privacy Breach Award
Walgreen Co. has lost an appeal against the $1.44 million award for damages it was ordered to pay after a HIPAA Privacy Rule breach resulted in confidential patient PHI being shared with unauthorized individuals.
This is the first time that the action of an employee has resulted in a healthcare provider being held liable for a violation of the Health Insurance Portability and Accountability Act. The Indiana appellate court decision could well set a legal precedent in cases where employees have violated HIPAA regulations and sensitive patient data has been shared with third parties.
Walgreen Co. v. Abigail E. Hinchy
In July 2013, a Marion Superior Court jury awarded $1.44M in damages to Abigail Hinchy after a Walgreen pharmacist shared PHI with a third party about a client who had dated her husband.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A pharmacist at Walgreens at 6269 W. 38th St. in Indianapolis improperly accessed Hinchy’s prescription history. Hinchy had once dated her husband and had his child and the pharmacist knowingly accessed her prescription history and personal information and divulged that information. The pharmacist’s husband was given Abigail’s PHI and he threatened to use that information in a paternity case. He also subsequently shared the information he had gained with at least three other people.
When Abigail Hinchy learned of what had happened she made a complaint to Walgreen. They spoke to the pharmacist who admitted accessing the files for personal reasons and she received a written warning for unethical actions and was made to retake a training program on HIPAA rules and regulations.
The court unanimously ruled that the pharmacist had violated “one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client’s ex-boyfriend.” The jury held Walgreen Co. liable.
Walgreen Co. has paid the damages although the funds are being held by the courts pending the outcome of the appeals process. They will not be released until the case has been finally resolved.
Legal Precedent Could See Employers Liable for HIPAA Violations by Employees
The appellate judges heard the appeal in which Walgreen believed the court should have released it from liability, however the previous court ruling was upheld and unanimously agreed that “the trial court properly permitted the jury to consider Walgreen’s liability.” Walgreen Co. is permitted to appeal and will be exercising that right.
Legal experts are considering the implications of the ruling. The ruling could well set a legal precedent and the case may well be cited in future lawsuits where employees have violated HIPAA regulations; even if the employer has not as there is vicarious liability on the part of the employer.
In the appeal, Walgreen Co. is likely to focus on the extent to which they can be held liable for the actions of an employee when the company had not acted in a negligent manner.
