ADVERTISEMENT
HIPAA Violations in the Pharmacy
The privacy rule of the Health Insurance Portability and Accountability Act, commonly known as HIPAA, is frequently discussed yet poorly understood. The privacy rule applies to protected health information, or PHI. This is defined as information pertaining to an individual's past, present, or future health condition, provision of health care, payment of health care, which identifies that individual or if a “reasonable basis” exists to believe that the information can identify the individual, according to the US Department of Health and Human Services.
Criminal penalties, including up to 10 years of jail time, may result if PHI is knowingly obtained or disclosed, or when information is gained under false pretenses or with the intent to sell or use the information for personal gain. However, most enforcement actions are civil, and many are the result of accidental release of PHI. Civil penalties include monetary fines and corrective actions, such as changing a procedure, training, or instituting safeguards on personal information. This month’s case examines the repercussions of a HIPAA violation.
The Facts
The facts in this case are complex. A female pharmacist at Walgreens accessed the prescription and personal records of a patient of the chain without any business reason or authorization. The patient was the ex-girlfriend of the pharmacist’s husband, and the pharmacist accessed the patient’s records because she believed that her husband had contracted a sexually transmitted disease from the patient. In the course of looking at the records, the pharmacist discovered that the patient had not filled her prescription for birth control pills during the month when she had become pregnant with a baby, which she claimed was the child of the pharmacist’s husband. The pharmacist’s husband sent a text to the patient informing her that he knew that she had not filled her birth control prescription as she was supposed to that month.
The patient notified Walgreens and upon investigation it was determined that a HIPAA violation had occurred and that the pharmacist viewed the record without consent and for personal purposes. As a result of the investigation, the pharmacist received a written warning and was required to take a HIPAA training program.
The patient then filed a lawsuit against both Walgreens and the pharmacist.
(Continues on next page)
Trial and Appeal
The plaintiff sued the pharmacist and Walgreens for claims of negligence, professional malpractice, and invasion of privacy, as well as negligent supervision and retention on the part of Walgreen’s. After a 4-day trial, the jury found in favor of the plaintiff, and awarded damages in the amount of $1.4 million against the pharmacist and Walgreens.
Walgreen’s subsequently appealed the decision, specifically as to whether the chain could be vicariously liable for the action of the pharmacist, and whether the amount of damages was excessive. The appeals court sided with trial court and affirmed the lower court’s decision, holding that the chain was in fact liable for the actions of its pharmacist, and that the damages were appropriate.
The Takeaway
HIPAA violations can result in administrative penalties or in a lawsuit if, as in this case, a breach of duty, negligence, or professional malpractice is the result of the violation. Whether you work in a retail or health-system setting, the message is clear: never, under any circumstances, access the records of a patient or customer without a legitimate purpose. Never access records for curiosity, for friends, or even for relatives. Familiarize yourself with your employer’s privacy policy, and follow it strictly. The privacy of your patients’ personal health information is essential. Treat it as you would your own.
Employers have a corresponding responsibility to train personnel to properly monitor and audit personal health information records access, as well as to train employees on the importance of following the HIPAA privacy law.
Ann W. Latner, JD, is a freelance writer and attorney based in New York. She was formerly Director of Periodicals at the American Pharmacists Association.
