Award May Cement Employer's Role in Breach Suits
When Audra Withers shared Abigail Hinchy’s pharmaceutical record with Hinchy’s former boyfriend, she had no idea it would lead to a legal decision affirming an employer’s HIPAA liability.
Last month, an Indiana Court of Appeals ruled that Withers’ employer, Walgreens, was as culpable as was Withers for the breach of Hinchy’s protected health information; thereby, upholding a $1.44 million civil judgment.
Hinchy sued Withers alleging negligence, malpractice, invasion of privacy, and public disclosure of public facts—but she also sued Walgreens for the cause of action as Withers’ employer. The former boyfriend was Withers’ husband, and he threatened to use the information in a paternity lawsuit. Walgreens acknowledged the breach of private health information, but argued it was exempt from liability for acts of an employee who knowingly violated company policy. Before a jury, Walgreens lost and appealed the decision.
The court of appeals cited a number of Indiana cases to explain the concept of responde et superior, deciding that an employee is acting within of the scope of work, when the employee and the work being done is within the employer’s control. It also found that under Indiana law, Withers had a duty of confidentiality to Hincy, and that she had breached that duty by reviewing and disclosing the records without permission. Walgreens, it said, was liable because its attachment to Wither’s negligence and professional malpractice.
Although employers’ liability in cases like this isn’t new, legal experts say the decision by a state court in a civil case, using HIPAA as a standard of care, could be groundbreaking.