HIPAA hurts: jury verdict upheld against Walgreen Co. for $1.8 million

It seems like every day in the news there is a new story about electronic data breaches from hackers. While these types of data breaches tend to make the front page headlines, hackers account for only a small percentage of reported breaches under the Health Insurance Portability and Accountability Act (“HIPAA”). In fact, hackers accounted for only eight percent of reported breaches in 2011 and nine percent in 2012. For employers, these statistics are critical in making decisions about where to deploy resources to prevent and protect against HIPAA breaches and state privacy law violations.

Unfortunately for employers, a recent case decided by the Court of Appeals in Indiana upheld a jury verdict against Walgreen Co. in the amount of $1.8 million for actions taken by a Walgreen’s employee related to disclosure of a patient’s prescription information. In Walgreen Co. v. Hinchy, Hinchy, a patient who had her prescriptions filled at Walgreen Co., filed a complaint against Walgreen Co. alleging claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts and invasion of privacy/intrusion. These claims were filed against Walgreen Co. under a respondeat superior theory, meaning that Hinchy was seeking to hold Walgreen Co. vicariously liable for the acts of its employee. The basis of Hinchy’s complaint was that a Walgreen Co. pharmacist disclosed Hinchy’s private prescription information to Hinchy’s former boyfriend, who was involved in a relationship with the pharmacist at that time. Upon learning of this disclosure, Hinchy reported her suspicion to Walgreen Co., who investigated the allegations and confirmed to Hinchy that: (1) a HIPAA violation had occurred; (2) the pharmacist had viewed Hinchy’s prescription information without consent and for personal purposes; and (3) Walgreen Co. could not confirm whether the pharmacist had revealed that information to a third party. The results of this investigation formed the basis for Hinchy’s complaint alleging violation of state privacy laws.

This case highlights how critical it is for employers to have a comprehensive HIPAA and state privacy law compliance plan and to train employees on how critical it is that they adhere to the policy.  

This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.

Client Alert authored by: Kimberly T. Boike