Recently, the Indiana Court of Appeals let stand a $1.4 million jury verdict against a national pharmacy chain for its employee pharmacist’s unauthorized disclosure of a customer’s confidential medical records. Given the “deep pocket” liability finding, this decision might spark additional civil lawsuits also based on violations of HIPAA privacy rules by healthcare workers.
The case, Walgreen Co. v. Hinchy, — N.E.2d –, 2014 WL 6130795, at *1 (Ind. Ct. App. Nov. 14, 2014), (affirmed on rehearing, Jan. 15, 2015), involved a Walgreen pharmacist who admitted to disclosing confidential medical records of a customer she suspected had shared a sexually transmitted disease with the pharmacist’s boyfriend. The jury found that the pharmacist was acting as a Walgreen employee when the privacy violation took place, and that the company was 80 percent at fault for the resulting damages. (Surprisingly, the court did not deem the jury verdict to be excessive even though the plaintiff had no physical injury or economic injuries.)
In upholding the vicarious liability, the court noted that the jury found that the pharmacist was acting in the course and scope of her employment, to wit: in looking up the records she was acting in the same general nature as those authorized, or incidental to her authorized actions, specifically she was authorized to use the computer system and look up prescriptions for customers and review prescription histories and print them out; she was at work using company equipment when the actions occurred; and the customer (her boyfriend’s former girlfriend) belonged to the general category of individuals to whom the pharmacist owed a duty of privacy protection by virtue of her employment. The court focused on the fact that the pharmacist’s conduct was of the same general nature of her ordinary job duties, and much of her conduct was of the same general nature authorized by her employer.
A key issue for future lawsuits will be how broadly courts view an employee acting “within their scope of employment” to give rise to vicarious liability. In the Indiana case, the pharmacy argued that the employee was acted outside the scope of her employment when she disclosed to her boyfriend the customer’s medical information and, therefore, the pharmacy should not be held vicariously liable. However, the Indiana Court of Appeal ruled that since at least part of the pharmacist’s actions – looking up customer medical records – was permitted by the pharmacy, the question of whether the pharmacist was acting within the scope of her employment had to be decided by the jury. This holding seems to ignore the fact that the pharmacist did not have authority to snoop in the medical records of that specific customer having an affair with her boyfriend. Both the pharmacist’s unauthorized snooping and disclosures are violations of HIPAA.
The Indiana jury instructions are similar, but not identical to Arizona’s jury instructions on what types of actions fall within the course and scope of employment. The Indiana instruction provides significantly greater latitude for a jury to find that a wrongful act is “incidental” to or “closely associated with“ the employee’s job duties that will bind the employer. In contrast, other states, such as Arizona, also require that the “act” be motivated by at least in part by a purpose to serve the employer. If the case had been tried using a jury instruction such as Arizona’s, the outcome may have been different.
Another issue is what additional steps a pharmacy could take on its own to more strongly deter, if not stop an employee from improperly accessing customer medical records in violation of HIPAA. Employers might consider investing in medical record systems that track and flag or limit the number of times that a person can access one customer’s record and otherwise flag suspicious behavior.