Data breach victims and their lawyers have often subscribed to the theory that a HIPAA violation does not allow victims to take a covered entity for a “private cause of action,” meaning they can’t sue as individuals over a privacy breach. The court-ordered Walgreens $1.44 million payment to an Indiana woman after a pharmacist inappropriately used her position to take and share her protected health information (PHI) seemed to fly in the face of commonly-accepted realities of patient data breaches.
The case, decided in July, was unique in that after plaintiff Abigail Hinchy called Walgreens to alert them of the breach, pharmacist Audra Peterson was still capable of accessing the data a second time. Walgreens responded to the lawsuit by arguing that Peterson willingly going against corporate patient privacy rules absolved them of responsibility. Peterson had accessed the data multiple times and given it to her husband, Hinchey’s ex-boyfriend who then texted Hinchey to tell her he had seen her PHI.
The way, however, the judge and jury interpreted Walgreens’ liability may have future repercussions. Clearly, the judge and jury were confident that Walgreens hadn’t done enough internally to prevent Peterson from snooping through patient files, such as implementing an internal user monitoring product. As lawyers.com reported, Hinchy’s attorney Neal F. Eggeson not bending to normal HIPAA violation protocol among attorneys was rare and served as the difference in how the case was ruled.
“Because of the relentless industry rallying cry that ‘HIPAA does not allow a private cause of action,’ most attorneys are cowed out of trying to do anything about HIPAA violations,” Eggeson said to lawyers.com. “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work. My hope is that this opens eyes — both by lawyers like me and by the health care providers.”
Eggeson likely isn’t the first lawyer to make a case from the jury award angle for patient compensation as a result of HIPAA violations. But does his success in doing so now and in the past in Indiana (a case in 2010 according to the lawyers.com report) mean that patients no longer have to rely solely on the Department of Health and Human Services (HHS) or Office for Civil Rights (OCR) to regulate HIPAA compliance? Or is this ruling generally considered an anomaly given Walgreens’ size and resources as well as the nature of Peterson’s repeated violations?
Eggeson believes those two verdicts are the only jury awards he’s aware of against healthcare providers who have violated HIPAA privacy rules.
“Even in my Walgreen case, Walgreen refused to turn over any documentation regarding how frequently their employees have been disciplined for similar fishing,” Eggeson said. “I suspect those statistics would be chilling.”