HIPAA Award Upheld After Pharmacist Shared Patient Data

 Last week, the Indiana Court of Appeals upheld a $1.4 million verdict against Walgreens and one of its pharmacists who violated the Health Insurance Portability and Accountability Act (HIPAA) when she reviewed prescription records of a woman who had once dated her husband.

In short, the facts of the case are as follows:

  • The pharmacist allegedly reviewed the prescription records of a woman who had fathered a child with the pharmacist’s husband.
  • The pharmacist later shared the confidential information, including the patient’s social security number, with her husband, who then gave the information to at least three other individuals.
  • The husband was allegedly collecting the information to use against the patient in a paternity suit.

The case is significant because the order is the first published appellate court decision where a health care provider has been held liable for HIPAA violations committed by an employee.

In a unanimous decision, the three judge member panel noted that the pharmacist violated “one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client’s ex-boyfriend.”

Walgreens, which is planning to appeal the ruling, argues that they should not be held liable for an employee who knowingly violated company policy and improperly reviewed and divulged a patient’s personal information.

Other legal experts, however, argue that Walgreens could be held vicariously liable for the actions of its employees, even if Walgreens was not negligent, as prior court decisions have held employers accountable, even if the employer did nothing wrong, due to the employer’s close relationship with the wrong-doer.

Regardless of the outcome of the appeal, pharmacists and other health care providers should take note of the important legal precedent that could be cited in future lawsuits regarding patient confidentiality: Privacy breach victims may hold employers accountable for HIPAA violations of their employees.