Financial Award for Disclosure of Protected Health Information

Pharmacy Times, August 2015 Pain Awareness, Volume 81, Issue 8

What is the liability exposure of a pharmacy employer when a pharmacist ignores policies regarding confidentiality and releases a patient's protected health information?

ISSUE OF THE CASE

What is the liability exposure of a pharmacy employer when a pharmacist ignores policies regarding confidentiality and releases a patient’s protected health information?

FACTS OF THE CASE

A pharmacist employed by a national pharmacy chain at a location in a Midwestern state had standard access to patient information about medications being used, as well as selected health information, for which she had completed the standard training for those who have such access. The pharmacist’s husband had been in a relationship with another woman who was a patient at the pharmacy where his present wife practiced and had apparently fathered the child of that woman.

During a normal working shift, the pharmacist went into the firm’s patient information database to view information about medications used by the other woman. An entry on the patient’s list could have been used to treat a sexually transmitted disease, and the pharmacist shared that information with her husband. The husband then texted the other woman, telling her that he was aware that the medication could be used for such a purpose. This appeared to be in response to the woman’s efforts to obtain child support. The woman reportedly called the pharmacy to complain about the release of her protected health information. The pharmacist allegedly was able to access the information a second time.

Both the woman whose information had been released and the pharmacy chain agreed that the pharmacist had breached privacy laws and company policy by viewing the information. However, the pharmacy chain made a pre-trial motion for summary judgment to have the matter decided in its favor. A summary judgment, or disposition of the case without a full trial, is appropriate when no material facts are at issue. The employer supported that motion by arguing that the pharmacist’s actions fell outside her scope of employment because the privacy violation was not linked to any conduct authorized by the employer.

THE COURT’S RULING

The state trial court judge denied the motion for summary judgment because the conduct under review was based on training and responsibilities derived from the pharmacist’s employment by the pharmacy chain. He ruled that it was up to a jury to decide whether the pharmacist’s actions were sufficiently associated with the activities she was authorized by the employer to perform.

THE COURT’S REASONING

The plaintiff had advanced 3 legal bases for the lawsuit. The first used the legal theory of respondeat superior (let the master answer), which holds an innocent employer vicariously liable for the acts of an employee performed within the scope of employment. The second argument was negligent training, supervision, and retention of the employed pharmacist. The third and final argument was negligence, invasion of privacy, and public disclosure of private facts. All 3 are heavily rooted in state law.

The judge said that the offensive conduct of the pharmacist was connected to training and duties she had because of her employment, but that her motivation to view the protected information was independent of any activities authorized by the employer. Those 2 varying approaches to the facts of the matter made a summary judgment inappropriate for the respondeat superior claim. Summary judgment was granted, however, for portions of the other 2 arguments advanced.

The jury decided the case, concluding that the pharmacist was acting in her employee role when she had the impermissible access to the patient’s information. The judge declined to dismiss the negligent supervision claim because of the pharmacist’s second visit to the patient information database after the firm had been alerted to her first breach. The argument on this latter point was that the firm has failed to take steps to protect the patient’s privacy even after being alerted to the transgression. The jury concluded that the pharmacy chain was 80% at fault, with the remaining 20% resting with the husband. Total damages were calculated to be $1.8 million, with $1.4 million allocated to the pharmacy chain.

A spokesman for the pharmacy chain said, “The pharmacist in this case admitted she was aware of our strict privacy policy and knew she was violating it.” It has been reported that the pharmacy chain plans to appeal the decision, with the basis being “We believe it is a misapplication of the law to hold an employer liable for the actions of 1 employee who knowingly violates company policy.”

It is important to note that although this case dealt with patient privacy and protected health information using state law concepts and doctrines, this was not a case tied directly to the Health Insurance Portability and Accountability Act, the statute pharmacists typically think of when considering patient privacy matters.

Dr. Fink is a professor of pharmacy law and policy and the Kentucky Pharmacists Association Endowed Professor of Leadership at the University of Kentucky College of Pharmacy, Lexington.