As previously reported, an Indiana jury awarded $1.44 million to a Walgreens customer based on allegations that the customer’s pharmacist accessed, reviewed and shared the customer’s prescription history with others who then used the information to intimidate and harass the customer. The facts of the case involved a love triangle between the pharmacist, her husband and her husband’s ex-girlfriend. When the pharmacist learned that ex-girlfriend gave birth to a child fathered by her husband, the pharmacist allegedly accessed the ex-girlfriend’s prescription information and shared the information with her husband, who then used the information to intimidate the ex-girlfriend when she began demanding child support payments. In response to the incident, Walgreens gave the pharmacist a written warning and required her to take additional HIPAA training.

Walgreens subsequently appealed the jury’s verdict, arguing for reversal on several grounds, including (1) that the court erred in denying summary judgment to Walgreens because the pharmacist acted beyond the scope of her employment; and (2) that the verdict amount was excessive and unsupported because the customer did not suffer a resulting physical injury, the customer had no lost wages as a result of the incident and the customer did not offer testimony from a medical professional in support of her claim of emotional distress.

The Indiana Court of Appeals rejected the arguments put forward by Walgreens. In regard to the question of scope of employment, the court affirmed that the determination of whether specific actions were “of the same general nature as those authorized, or incidental to the actions that were authorized,” is a question of fact for the jury. In this case, because Walgreens authorized the pharmacist to use its computer system, handle customer requests for prescriptions, and look up and print out customer information on its system, it was not an error to determine that the pharmacist’s actions in this case were within the scope of her employment. According to the court, “much of [the pharmacist’s] conduct was of the same general nature as her ordinary job duties, and much of her conduct was of the same general nature authorized by her employer.” In regard to the question of excessiveness of the verdict, the court viewed Walgreens’ arguments as “a request that we reweigh the evidence,” which the court refused to do. Walgreens has stated its intention to continue its appeal to the next level.

This is the first known decision by a court of appeals approving a jury verdict based upon a violation of HIPAA by a pharmacist or any other health professional. The decision is consistent with the growing trend in courts nationwide to hold employers liable under the common law for their employees’ violation of federal privacy law. The court’s broad definition of the scope of employment makes it more difficult for employers to avoid liability for employees’ violation of HIPAA. However, employers should maintain current policies reinforcing their employees’ obligations to maintain confidentiality of personal health information, including a policy regarding additional security measures for computers and a policy related to social media. Employers should also train their employees regularly regarding their legal obligations to protect personal health information.

Additionally, this decision may support the need for employers to reinforce to their employees – from the office workers involved in billing to the pharmacists and doctors providing direct care – the severity of penalties for violating patient privacy laws. It’s always dangerous to speculate, but one must wonder what role Walgreens’ choice of discipline had upon the jury’s deliberation. Were a written warning and HIPAA training a sufficient response to a pharmacist’s intentional review and disclosure of highly sensitive sexual and reproductive health information? If employers are going to be held responsible for an employee’s intentional (and possibly criminal) breach of a patient’s confidentiality, employers need to ensure that they maintain consistent and sufficiently severe consequences for employees who engage in such behavior.

Photo of Carrie Dettmer Slye Carrie Dettmer Slye

Carrie Dettmer Slye focuses on assisting business clients in resolving complex disputes, including matters involving data privacy and security.

Experience:

Assisted in case involving alleged unauthorized disclosure of protected health information by hospital. Drafted motion to dismiss arguing that plaintiff consented to disclosure…

Carrie Dettmer Slye focuses on assisting business clients in resolving complex disputes, including matters involving data privacy and security.

Experience:

Assisted in case involving alleged unauthorized disclosure of protected health information by hospital. Drafted motion to dismiss arguing that plaintiff consented to disclosure of documents thereby waiving any alleged privilege. Plaintiff’s counsel agreed with analysis after review of motion to dismiss and subsequently dismissed action.

Assisted in response to federal complaint filed against client, a golf course, for allegedly preventing use of member’s “lifetime membership.” Drafted motion to dismiss plaintiff’s claims, which included constitutional due process claim, breach of contract claim, and personal injury claim. District court granted motion to dismiss and issued thorough opinion analyzing issues in golf course’s favor.

Handled litigation matters concerning software and website development. Represented consultants and software developers in complex actions involving design and implementation of Enterprise Resource Planning/Management software.

Assisted in data breach and incident response related to misplaced technology device involving company in healthcare industry. Drafted incident notifications to affected individuals and regulatory agencies, including state attorneys general and Office of Civil Rights.

Drafted standards for company in financial industry to assist with monitoring of employee postings and participation in social media.