Erica Lindsay, PharmD, MBA, Esq.
Erica Lindsay, PharmD, MBA, Esq., is a healthcare attorney practicing in the greater Chicagoland area. Dr. Lindsay is active in various organizations including the American Bar Association, where she is chairwoman of the Nursing and Allied Healthcare Professionals Task Force, Illinois State Bar Association, Health Care Compliance Association, American Society of Pharmacy Law, American Intellectual Property Law Association and the Chicago Bar Association. She has recently published Protect and Empower: The Career Survival Guide for Healthcare Professionals. Dr. Lindsay can be contacted at email@example.com
A patient cannot use a HIPAA violation as a direct cause of action in a privacy lawsuit. HIPAA creates a right to privacy, not a right to file suit.
However, if a HIPAA violation occurs as a result of a breach of duty, negligence, or professional malpractice, then such cases can be brought under state laws.
HIPAA is a federal law signed in 1996 that addresses various health care issues such as insurance coverages, tax-related provisions, and group health insurance requirements.
HIPAA includes the Privacy Rule, which establishes national standards to safeguard a patient’s protected healthcare information (PHI) and gives patients access to their health information. These standards apply to health plans, health care clearinghouses, and providers who manage health care transactions, including pharmacists and pharmacy staff.
HIPAA’s Privacy Rule also allows for a practitioner or covered entity to use or disclose Minimum Necessity information pertaining to a patient’s health condition or status. Minimum Necessity is the minimum PHI required to accomplish the intended purpose surrounding the care of the patient.
Under HIPAA, patients have the right to obtain copies of their PHI which includes medical and billing records in the prior 6 years. Exclusions include psychotherapy notes, legal documents, or laboratory results prohibited under the Clinical Laboratory Improvement Act (CLIA). The provider may deny access to PHI if such access could harm the individual or others.
During the course of business, pharmacies and hospitals may get signed authorization from patients prior to service, allowing them access to use their PHI during their care.
The Privacy Rule requires that a HIPAA disclosure authorization contains either an expiration date or event that relates to the individual or the purpose of the use or disclosure. An authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event.
If the patient is not able or unavailable, the covered entity may use or disclose PHI without authorization or opportunity for the patient to agree or object. These instances include disclosure being required by law, public health oversight, or child abuse or neglect.
Two instances where PHI must be disclosed regardless of patient’s authorization include PHI being provided directly to the patient and to the US Department of Health and Human Services (HHS) during an investigation.
The main provision where providers may disclose a patient’s PHI without consent is under Treatment, Payment or Operations (TPO).
- Treatment: when a pharmacist communicates with a physician regarding the patient’s care.
- Payment: when a pharmacist seeks insurance regarding a prescription claim.
- Operations: when a pharmacy conducts an audit of patient records which contain PHI.
Take, for example, a pharmacy that sold to John Brown (DOB 01/01/55) Truvada that was intended for patient John Brown (DOB 03/03/72). This is an incidental disclosure of PHI because Truvada is known to be used for the treatment of HIV, and the John Brown who received the prescription could assume that John Brown (DOB 03/03/72) has HIV. If no direct damages resulted from the disclosure, then a civil suit may not be awarded.
In July 2013, an Indiana jury awarded a $1.4 million dollar judgment against the nation’s largest drug retail chain, Walgreens, for violating HIPAA.
A Walgreens pharmacist based in Indianapolis viewed the prescription profile of her husband’s ex-girlfriend (the patient) in Crown Point, Indiana, more than 150 miles away. The pharmacist suspected that the patient gave her husband a sexually transmitted disease (STD) and disclosed the patient’s PHI to her husband, who then sent a text message to the patient regarding the STD.
The patient informed Walgreens about the incident which resulted in no action. Afterwards, the pharmacist accessed the patient’s prescription profile another time without consent or use in treatment, payment, or operations of the patient’s care. The patient won the suit against Walgreens, claiming that it was responsible for the HIPAA violations through negligence, and also directly against the pharmacist for professional malpractice.
Inappropriate disposal of PHI on medicine bottles and receipts can also lead to a HIPAA violation. In January 2009, HHS reached an agreement with CVS to pay $2.25 million to settle potential violations.
CVS was accused of disposing medication bottles with PHI, including demographic, medical, and insurance information into open dumpsters behind the stores. The settlement required CVS to establish and implement policies, procedures, and training for disposing of PHI; conduct internal monitoring; and appoint an independent evaluator to ensure compliance, which ended after 3 years.
Fines and penalties
HIPAA violations must be reported to HHS. If a violation or breach affects 500 or more individuals, then covered entities must notify HHS no later than 60 days following a breach.
If, however, a breach affects fewer than 500 individuals, then the covered entity may notify HHS on an annual basis no later than 60 days after the end of the calendar year in which the breaches are discovered.
If a HIPAA violation occurs, covered entities can be fined by HHS from $100 for a single violation up to a total of to $1.5 million for identical violations within a calendar year.
Prior to HIPAA, it may have been a common practice for a pharmacist or staff to access the medical or prescription records of a family or friend out of concern, or access the record of a patient involved in a news incident. These are violations under current laws, and according to your covered entity’s HIPAA policy, they could lead to immediate termination.
Please train yourself and staff on the law and report violations that occur immediately to your supervisor or compliance department.
This is general information, not legal advice, and does not form an attorney-client relationship. Consult your lawyer to address specific legal issues.