Award for HIPAA violation raises liability concerns

A Marion County jury award of $1.4 million upheld by the Indiana Court of Appeals in November was called a “game-changer” for health care providers whose employees handle private medical information, according to one attorney.

Abigail Hinchy was awarded the million-dollar verdict after her ex-boyfriend’s then-girlfriend, who was a Walgreen pharmacist, accessed her drug records and reported the medications she was taking to the ex-boyfriend. The jury found Walgreen liable on claims of respondeat superior, negligent supervision and retention, and invasion of privacy.

The case set a national precedent in finding that a company could be held liable for the acts of an employee who violated federal patient privacy protections in the Health Insurance Portability and Accountability Act.

“I do think it’s a game-changer,” Plews Shadley Racher & Braun attorney Stephanie Eckerle said. “This was a remarkable case because it involved a breach of privacy by one person of one customer’s medical information,” rather than a mass breach of private information.

Hinchy’s attorney, Neal Eggeson, said the case represents a culmination of trial court decisions around the country suggesting that privacy-violation cases using HIPAA as a community standard of care could move forward.

Walgreen argued the case should have been resolved on summary judgment.

“We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy,” the company said.

Indiana University Robert H. McKinney School of Law professor David Orentlicher said an important takeaway from the case is that health care providers need to be aware that they may face liability under state laws for privacy breaches under the federal HIPAA law.

As more private medical records are stored electronically, the decision means that the ready availability of patient data also creates new potential liabilities for those with access to the records, he said.•