Court Upholds $1.4 Million Privacy Verdict

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govinfosecurity.com/court-upholds-14-million-privacy-verdict-a-7567

A second state court ruling in recent weeks calls attention to how
incidents involving alleged patient privacy violations can lead to
negligence lawsuits that invoke HIPAA as a benchmark.

In the most recent case, the Indiana appellate court has upheld a $1.4
million jury verdict awarded in 2013 to a customer that alleged her privacy
was violated by a Walgreens pharmacist who inappropriately reviewed and
shared the woman's prescription history with a third party.

In July 2013, a jury in Marion County, Ind., awarded the damages to Abigail
Hinchy after her prescription history was provided to her ex-boyfriend,
Davion Peterson, by a Walgreens pharmacist, Audra Withers, who was married
to Peterson .

Walgreens appealed the jury's decision, but the appellate court on Nov. 14
upheld the lower court ruling. The pharmacy chain tells Information
Security Media Group that it plans to appeal once again to the state's
supreme court.

"In this case, a pharmacist breached one of her most sacred duties by
viewing the prescription records of a customer and divulging the
information she learned from those records to the client's ex-boyfriend,"
says the court of appeals in its decision. "A jury heard extensive evidence
during a four-day trial and ultimately found that the pharmacist and her
employer are liable for the damages sustained by the customer as a result
of the breach. We are loath to disturb jury verdicts and decline to do so
in this case."

HIPAA does not permit a "private cause of action" for individuals to sue
for violations of the federal law. But the Walgreens case, like a similar
case in Connecticut, gets around that by, instead, alleging negligence
under state statutes for failing to meet HIPAA requirements, invoked as the
"standard of care" for protecting patient information.

The Connecticut Supreme Court earlier this month paved the way for a
similar negligence case to proceed (see Court Allows HIPAA Negligence
Claims). That case, Emily Byrne vs. Avery Center for Obstetrics and
Gynecology involved a patient who sued a healthcare clinic that released
her medical records to a third party, under subpoena, without informing
Byrne or getting her permission. That ultimately resulted in her
ex-boyfriend allegedly viewing Byrne's health records and using them to
harass, embarrass and extort her, says attorney Bruce Elstein, of law firm
Goldman, Gruder & Woods, who represents the plaintiff in that case.

Damages Upheld

Attorney Neal Eggeson of Eggeson Appellate Services, who represented the
plaintiff in the Walgreens case, tells ISMG that the Indiana ruling is
particularly significant because it upholds damages in a privacy case
involving allegations of negligence.

"There haven't been many HIPAA cases involving negligence, and not many
have gone through trial," Eggeson says. "Now, a published decision says
that not only can you sue for HIPAA negligence, but an appeals court has
upheld a seven-figure decision against a healthcare entity for HIPAA
privacy negligence."

The courts are recognizing that HIPAA doesn't preclude negligence cases
when HIPAA is the "standard of care" that healthcare providers use to
protect patient privacy, Eggeson says.

Importance of Privacy

Some legal experts say the recent court decisions highlight the importance
of the HIPAA Privacy Rule's mandates to safeguard patient information.

"It does not surprise me that state-level courts are deciding to find the
HIPAA privacy and security rules set the generally accepted standard on how
health information may be used and disclosed," says attorney David
Holtzman, vice president of compliance at security consulting firm
CynergisTek. "Juries deciding these cases are acting on their belief of
what is right or wrong after a thorough examination of the facts.

"The privacy protections, like those in the HIPAA Privacy Rule, are the
most recognizable tool that allows for evaluating what is acceptable
conduct. Just as importantly, courts are supporting the notion that there
can be real and demonstrable harm that results from the disclosure of
sensitive health information with a malicious intent to cause emotional
pain or injure a person's reputation."

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who is
not involved in either the Indiana or Connecticut cases, says the two
rulings are the most recent examples of how some HIPAA-related lawsuits can
withstand legal scrutiny.

"There has been an opening to use HIPAA in other [negligence suits] claims
for some time," he says.

"For example, back in 2007 a plaintiff successfully used HIPAA as the
standard of care in a negligence case in Acosta v. Byrum, and there were
discussions back then as to whether the North Carolina case would open the
floodgates to private rights of actions under HIPAA," he says. "We haven't
seen that many such cases since 2007."

That North Carolina case involved a patient who sued her healthcare
provider for negligence after the provider granted a third party
unauthorized access to the patient's psychiatric and other medical records.

The $1.4 million verdict in the recent Indiana case may lead others to file
civil negligence suits, brough under state and other statutes, that invoke
the HIPAA benchmark, Greene predicts. Nonetheless, many of those cases will
still face uphill battles in court. "There will often be challenges with
such suits, such as demonstrating damages from a breach of
confidentiality," Greene says.

Holtzman predicts more privacy cases will be filed "as more states pass
laws establishing how sensitive personal information must be protected from
unauthorized use and disclosure, along with courts recognizing a right of
privacy when there is proof of harm suffered by an individual victim."

Walgreens, in a statement provided to ISMG, says, "We take seriously our
responsibility to safeguard the privacy of medical records in our
possession. The pharmacist in this case admitted she was aware of our
strict privacy policy and knew she was violating it. She was appropriately
disciplined for her action. We believe it is a misapplication of the law to
hold an employer liable for the actions of one employee who knowingly
violates company policy. We intend to appeal the ruling."

The August 2011 complaint filed by Hinchy against the pharmacist claimed,
among other things, negligence, professional malpractice and invasion of
privacy. The lawsuit also charged that Walgreens was liable for the
pharmacist's actions and alleged the retail chain was guilty of negligence
for a lack of training and supervision, among other factors.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!