On November 14, 2014, the Court of Appeals of Indiana affirmed a $1.44 million judgment against Walgreens Company based on a HIPAA violation committed by a Walgreens pharmacist. Walgreen Co. v. Hinchy, 2014 WL 6130795 at *1 (Ind. Ct. App. 2014). In Walgreen Co. v. Hinchy, Walgreens’ pharmacist Audra Withers looked up the prescription information of Walgreens’ customer Abigail Hinchy. Withers then used the prescription information of Hinchy for personal reasons, which allegedly included allowing Withers’ husband to use the private information to pressure Hinchy into not asking Withers’ husband for child support. Upon figuring out how Withers’ husband obtained the private information, Hinchy contacted Walgreens’ regional office to report the matter.
During the investigation, Withers admitted to purposely accessing the information for personal use. Walgreens confirmed to Hinchy that a HIPAA violation had occurred. Id. Per Walgreens, “Withers received a written warning and was required to retake a computer training program regarding HIPAA.”
Dissatisfied with the outcome, Hinchy sued both Walgreens and Withers. On July 23, 2013, a trial was held on the issues of whether Withers was liable for negligence by way of professional malpractice or invasion of privacy by public disclosure of private facts. The jury was also asked to decide if Walgreens was liable for Withers’ actions through vicarious liability as well as negligent supervision, negligent retention, and negligence by way of professional malpractice. Ultimately, Walgreen and Withers were held liable for $1.44 million.
The Walgreen decision, while never actually discussing HIPAA, has far-reaching implications for HIPAA. Three of those implications are as follows:
- Walgreen allowed an individual to collect damages for a negligence claim based on actions that constitute a HIPAA violation, which potentially leaves open the option for plaintiffs to bring a private right of action under HIPAA.
HIPAA on its face does not create a private right of action. Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006). As the Fifth Circuit Court of Appeals explained:
HIPAA does not contain any express language conferring privacy rights upon a specific class of individuals. Instead, it focuses on regulating persons that have access to individually identifiable medical information and who conduct certain electronic health care transactions. HIPAA provides both civil and criminal penalties for improper disclosures of medical information. However, HIPAA limits enforcement of the statute to the Secretary of Health and Human Services. Because HIPAA specifically delegates enforcement, there is a strong indication that Congress intended to preclude private enforcement.
Therefore, HIPAA violations should only be actionable by government entities. Yet, cases such as Walgreen circumvent this principle by framing the claims are negligence claims.
- Walgreen implies that employers who are “Covered Entities” as defined under HIPAA, such as hospitals, can and may be held liable for the actions of their employees even if the employee acted intentionally and knowingly violated the hospital’s privacy policies.
The Walgreen decision used the theory of vicarious liability to hold Walgreens liable for Withers’ actions. In doing so, the court upheld the finding that Withers was acting within her scope of employment when she accessed Hinchy’s prescription records finding there was an underlying liability of Withers.
Under Indiana law, acts fall within the scope of employment when they are “incidental to the conduct authorized” by the employer, or “to an appreciable extent, further[s] the employer’s business.” Stating that “much of Withers’ conduct was of the same general nature as her ordinary job duties, and much of her conduct was of the same general nature authorized by her employer,” the court held Withers’ actions fell within her scope of employment. As for the underlying liability, the trial court failed to state whether Withers’ liability arose from the tort of invasion of privacy by public disclosure of private facts or negligence by virtue of professional malpractice of a pharmacist. Without guidance, the court of appeals focused on the negligence claim to affirm that Withers had acted negligently. Thus Walgreens was vicariously liable.
- Walgreen implicitly expands the factors to be considered when holding a covered entity liable for a HIPAA violation to include emotional distress.
After finding Withers negligent, the jury awarded damages of $1.8 million and apportioned 80% of the liability to Withers and Walgreens. The jury based the damages on the emotional distress alleged by Hinchy which resulted from facts such as that “Hinchy’s father learned about Hinchy’s use of birth control, that Hinchy has herpes, and that Hinchy had stopped taking birth control shortly before becoming pregnant.” This caused Hinchy distress and anguish which she described as shock, confusion, and feeling violated.
While emotional distress is typically compensable under negligence claims, distress is not typically a factor in HIPAA liability. The factors considered in levying a Civil Monetary Penalty for a HIPAA violation include the victim’s physical, reputational, or financial harm, or the inability to obtain health care. 45 C.F.R. § 160.408.
Overall, the intersection of HIPAA and negligence claims will depend on state law and their doctrines on negligence, professional liability, and vicarious liability. However, the Walgreen decision is important as it demonstrates a growing trend to allow civil suits to be brought by private citizens based on HIPAA violations. See also R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715, 720-21 (W. Va. 2012); Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 314 Conn. 433 (Conn. 2014).
Written by: Danielle L. Borel