`

Walgreen privacy judgment a 'game-changer'

December 3, 2014
walgreens-1-2col.jpg
The Walgreen location at 6269 W. 38th St. in Indianapolis is where a pharmacist accessed a customerâ??s private prescription history, leading to a $1.4 million judgment against the drugstore chain.

A $1.4 million judgment against Walgreen for a pharmacist’s unauthorized breach of private prescription data should raise red flags for any health care provider whose employees handle private medical information, lawyers and legal experts say.

“I do think it is a game-changer,” said Stephanie Eckerle, chair of Plews Shadley Racher & Braun’s health care and life science group. “This was a remarkable case because it involved a breach of privacy by one person of one customer’s medical information,” rather than a mass breach of private information.

Walgreen said it would ask the Indiana Supreme Court to grant transfer after the Indiana Court of Appeals affirmed Walgreen Co. v. Abigail Hinchy, 49A02-1311-CT-950, on Nov. 14. The case set a national precedent in finding that a company could be held liable for the acts of an employee who violated federal patient privacy protections in the Health Insurance Portability and Accountability Act.

Eckerle said she believes the precedent has broad implications beyond pharmacies and could apply to any health care providers and their associates who deal with private patient information.

“Furthermore, now covered entities not only have to worry about the civil and criminal penalties that (the Department of Health and Human Services) can impose, which can be quite substantial, but also civil judgments awarded under the theory of respondeat superior and other causes of action,” she said.

Eggeson Eggeson

A Marion Superior jury awarded Abigail Hinchy $1.4 million after a pharmacist accessed her prescription history without authorization, and Hinchy later learned the information had been provided to the father of her child. The jury found Walgreen liable on bases of respondeat superior, negligent supervision and retention, and invasion of privacy. The appeals panel chose not to disturb the verdict.

Indianapolis attorney Neal Eggeson represented Hinchy and said the case represents a culmination of trial court decisions around the country suggesting that privacy-violation cases using HIPAA as a community standard of care could move forward. “Now, we have a decision where not only did that concept go to trial, but it resulted in a seven-figure judgment.”

Fred Cate, an Indiana University Maurer School of Law professor and expert on privacy law, said the Walgreen verdict is the largest he’s aware of concerning individual conduct in accessing private health information. He said it’s a striking decision in a time when widespread data breaches are fairly common.

“It was outrageous and egregious conduct,” Cate said of pharmacist Audra Winters’ accessing of Hinchy’s records. “But generally, if you look across the wide swath of privacy cases, courts are pretty quick to dismiss cases because they want to see cases of actual harm.

“Courts are usually a little more hard-nosed about ‘show me the harm,’ and it’s hard with privacy to ‘show me the harm,’” Cate said. “Courts routinely throw out cases like this.”

Eckerle Eckerle

That was Walgreen’s position before the Court of Appeals. The company argued the case should never have gone before a jury and instead should have been decided in its favor on summary judgment. In a statement after the COA decision, Walgreen reaffirmed that position.

“We take seriously our responsibility to safeguard the privacy of medical records in our possession. The pharmacist in this case admitted she was aware of our strict privacy policy and knew she was violating it,” the company said. “She was appropriately disciplined for her action. We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.”

Eggeson said he’s not sure whether the precedent-setting case will result in a proliferation of similar claims. “My suspicion is that privacy breaches like this by health care providers are more common than any of us would like to believe,” he said. “Unless he or she slips up and goes and tells friends and family members, I’m never going to know if they breached my privacy.”

Indiana University Robert H. McKinney School of Law professor David Orentlicher said an important takeaway from the case is that healthcare providers need to be aware that they may face liability under state laws for privacy breaches under the federal HIPAA law.

“Here the court is saying clearly that if you breach an important ethical consideration, you can pay significantly,” Orentlicher said. “It didn’t seem clear-cut that Walgreen should be held liable. … The court is coming down with a very broad view of employer accountability.”

As more private medical records are stored electronically, the decision means that the ready availability of patient data also creates new potential liabilities for those with access to the records, Orentlicher said.

Eggeson put on expert testimony at the jury trial that disputed Walgreen’s position that a tracking system of who had accessed private data was not a community standard of care. Eckerle said she was taken by the amount of time the Court of Appeals judges spent during oral arguments focused on whether Walgreen had a system in place that could detect when its employees accessed customers’ protected information without authorization.

“Walgreen’s lack of a tracking system to determine who has access to a customer’s patient profile, their alleged lack of action when Walgreen’s received the initial notice that a breach may have occurred, and their response once they confirmed the breach, may all be critical factors in determining Walgreen’s liability – and all analyzed by looking at community standards.” Eckerle said.

Thomas R. Harper of Gilliland Law Firm P.C. represents health care providers and said he sees the verdict pointing to gaps in privacy laws. He’s also concerned about the precedent the case represents.

“In this case, I think the jury probably got it wrong,” Harper said, on the basis of respondeat superior. “I think the jury went beyond the rule of law.”

“If this were based on a HIPAA violation and a government agency was looking at it, I don’t think it would be a $1.4 million fine,” he said.

Harper also noted the irony that in making a case for a violation of privacy, Hinchy was required to air details of the case in a public forum. “It’s kind of a Catch-22 with privacy law,” he said. “Because of open courts, the whole world knows.

“I think in this arena when you’re dealing with privacy, it should be looked at more closely, and it’s something that should be addressed by the Legislature, or at least considered,” Harper said.

Eggeson said Hinchy knew when she filed the case after learning of the breach in 2010 that this would be a years-long journey. “She’s grateful there might finally be light at the end of this tunnel,” he said. “She knew it was going to be a long time coming. … We’re one step closer to the end now.”•

ADVERTISEMENT

Recent Articles by Dave Stafford