HIPAA Lawsuit: $1.4 Million Walgreens Love Triangle

This piece argues for independently audited self-encrypting HIPAA storage as a service for healthcare companies. We review it within the broad enforcement and liability context, proceeding as follows:

• Data Privacy Monitor: Surge of fines expected this year
• Indianapolis Star: $1.4 million Walgreens love triangle
• Analysis: The case places further pressure on the industry
• Defense: Walgreens perspective & vicarious liability
• In it together: Business associates post-Omnibus

Data Privacy Monitor: Surge of fines expected this year

The year-over-year background and forecast for healthcare compliance in June looked bleak in both directions. That became clear when a prominent lawyer for HHS OCR spoke with a legal magazine at a professional conference, as reported by Data Privacy Monitor earlier this year.

According to DPM, Law360 interviewed the Chief Regional Counsel for the OCR, Jerome B. Meites,  at a Chicago meeting of the American Bar Association (ABA). He said that the year leading up to June would “pale in comparison to the next 12 months.’”

That was not what the healthcare industry was hoping to hear since the actions of the OCR were already considered excessively aggressive and punitive by some. Between June 1, 2013, and June 13, 2014, nine settlements were posted on the HIPAA “Wall of Shame” (actually the OCR’s Breaches Affecting 500 or More Individuals announcement page, which does go soft on non-compliant companies by listing violations chronologically backward) that totaled more than $10 million.

Mr. Meites said that based on upcoming settlements expected to be announced through 2014 and the first half of 2015, “‘I suspect that [the] number [from the last year] will be low compared to what’s coming up.’”

Indianapolis Star: $1.4 million Walgreens love triangle

Financial settlements with the federal government are just one side of the equation, though. Healthcare firms must also be concerned with civil lawsuits – especially since one recent high-profile judgment involving a major consumer brand places responsibility for employee wrongdoing with the employer.

The Court of Appeals in Indiana decided on Friday, November 14, in favor of a customer whose health information was taken by a Walgreens pharmacist and shared with a third party – as reported by Tim Evans of the Indianapolis Star. Specifically, the pharmacist took the prescription information of her husband’s ex-girlfriend and shared it with her husband, who in turn shared it with at least three other parties. The victim in the healthcare data love triangle was awarded $1.44 million.

According to the victim’s lawyer, Neal F. Eggeson, Jr., the decision was the first by an appellate court in the United States to place liability with a HIPAA-covered entity (Walgreens) for a data breach caused purely by employee wrongdoing.

Analysis: The case places further pressure on the industry

Eggeson and other healthcare attorneys said that the judgment would serve as a legal precedent for use in future court cases around the country.

The Indiana Court of Appeals decision effectively “‘[confirms] that privacy breach victims may hold employers accountable for the HIPAA violations of their employees,’” said Eggeson.

David Orentlicher, who co-heads the law and health center at Indiana University’s law school, noted that even though Walgreen Company has stated they plan to appeal this decision, it serves as a general warning to all healthcare companies that privacy must be maintained.

Orentlicher said that protecting sensitive medical details is critical because if patients can’t be reasonably confident that their data won’t be misused, they may avoid seeking care altogether.

Defense: Walgreens perspective & vicarious liability

James W. Graham, writing on behalf of Walgreens, described what the corporation believes to be unfair about the decision: the pharmacist who unethically accessed and shared the health records “was aware of our strict privacy policy and knew she was violating it.” Graham said that the drugstore chain did not believe that the law should make a company responsible for the misdeeds of a single worker.

The November verdict was in response to a request from Walgreens to overturn a July 2013 case decided in favor of Abigail Hinchy, the ex-girlfriend, a customer of the 6269 W. 38th St. location in Indianapolis.

Walgreens was dealt a sound and swift blow by the Court of Appeals. Judge John Baker stated in a unanimous verdict that the Walgreens pharmacist, Audra Withers, had disregarded “one of her most sacred duties” when she looked at the details within the customer’s account and provided her findings to an unauthorized individual (the husband).

Orentlicher noted that when Walgreens appeals at the Indiana Supreme Court, the idea of “vicarious liability” will be central to the debate. In the case of a workplace that made every effort to train its workers properly, the court sometimes places accountability with the employer nonetheless – because it decided to employ that particular individual.

In it together: Business associates post-Omnibus

Before the release of the Final Omnibus Rule in 2013, business associates were not held immediately responsible for healthcare privacy and security by the federal government. Now, all that has changed. According to the American Academy of Orthopaedic Surgeons, the adjustments to the law impact any individual or organization that handles protected health information (PHI). Today, business associates such as Atlantic.Net are “directly liable for compliance.”

With a complex and refined privacy and security background that spans three decades, we can provide a broad range of HIPAA Hosting solutions. Many clients benefit from our self-encrypting storage plans, in which the entire hard drive is encrypted via a symmetrical key held in a separate location from the CPU (isolating it from any dangers of memory corruption).   We offer our HIPAA Compliant Hosting and blazing fast Cloud Servers with a 100 percent uptime guarantee.