Building a HIPAA Toolbox: Part 4
Part 4: Cases show how HIPAA compliance can affect pharmacy operations.
By Erica Lindsay, PharmD, MBA, JD
In July 2013, an Indiana jury recompensed a $1.4 million judgment against the country’s largest pharmacy retailer, Walgreens, for breaching HIPAA. A Walgreens pharmacist accessed the medication profile of her spouse’s ex-girlfriend, whom the pharmacist suspected gave her spouse a sexually transmitted disease (STD). The pharmacist disclosed the customer’s profile to her spouse, who sent a message to the woman regarding the STD. The customer filed suit against Walgreens, claiming the retailer was responsible for the HIPAA infringement through carelessness, and directly against the pharmacist for professional malpractice.
Know Individual Liability Under HIPAA
The HIPAA statute, the HITECH Act, and the HIPAA Privacy Rule do not have a specific private right of action. This implies an individual cannot use a HIPAA violation as a direct cause of action in a privacy lawsuit. The law creates a right to privacy, but not a right to sue. Nonetheless, if a HIPAA violation occurs, the violation can serve as a breach of duty by the healthcare professional in negligence, fiduciary duty, and violation of privacy cases. Such actions can be brought under state laws.
In the STD breach case, the patient asserted that Walgreens neglected to inform and manage the pharmacist, as required under HIPAA. The pharmacist was sued for professional malpractice because she violated HIPAA by not following commonly accepted practice for privacy protection. The jury awarded an aggregate of $1.8 million: Walgreens was found 80 percent liable, and the pharmacist was found 20 percent liable.
Diagnosis and Prescription Information Protection
Both the employer and employee have an obligation to protect all patients’ medical information, including diagnosis and prescription histories. This obligation applies while off duty, as well. Unauthorized sharing of protected health information (PHI) is a direct violation of HIPAA. Numerous HIPAA violations occur when the covered entity’s worker accesses PHI without cause. HIPAA violations can occur when an employee accesses his or her own medical information, or the information of a spouse, minor, or relative without the patient’s consent. The only time patient consent is not required is when PHI is accessed as necessary for treatment, payment, or operations for patient care.
Prescription Labels May Leak PHI
A violation also can occur if PHI is not properly discarded. Personal and medical information printed on vials, bottles, and records must be disposed of properly to prevent others from accessing and obtaining PHI. Under HIPAA laws, covered entities are not required to shred PHI, but are given the flexibility to determine the best security measures to protect patients’ PHI.
Prescription labels with PHI on medicine bottles, intravenous drugs, liquid oral medications, etc., can be a fertile source of HIPAA violations. In a 2009 case, the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. (CVS), which consented to pay $2.25 million to settle potential infringement of the HIPAA Privacy Rule. CVS was accused of disposing PHI, including demographic, medical, and insurance information, into unsecured dumpsters. The settlement obliged CVS to make and execute strategies, methods, and preparations to discard PHI, conduct interior monitoring, and designate an independent auditor to ensure compliance for a three-year period.
Wrong Medicine, Wrong Patient
A HIPAA violation can also happen when a pharmacist or technician dispenses the wrong patient medication, consequently revealing the medication, directions, and demographic information of another patient. If the HIPAA violation unveils an exceptionally delicate finding (e.g., HIV, STD, or other communicable illnesses), there may be a tort claim for privacy violation based on the public disclosure of sensitive, private information. The patient would need to demonstrate that the publicizing of the PHI would be offensive to a reasonable person, that the public didn’t have a right to the information, and personal damages.
Some healthcare providers may not understand or appreciate current HIPAA laws and regulations; therefore, it’s the responsibility of the covered entities to stress the imperativeness of consenting to federal HIPAA regulations. Training should not occur once during orientation, but should be a constant reminder to employees. Employers should likewise have an approach for disciplinary actions for HIPAA violation. Covered entities can be fined from $100 for each violation, up to a sum of to $1.5 million for indistinguishable HIPAA infringement per year.
If a violation or breach affects 500 or more people, covered entities must inform HHS no later than 60 days after the breach. If a breach affects fewer than 500 people, the covered entity may report to HHS on an annual basis, no later than 60 days after the end of the year in which the breaches were discovered.
Erica Lindsay, PharmD, MBA, JD, is chief compliance officer, RX Compliance Solutions, LLC. She has worked in healthcare compliance for over 15 years. Lindsay has developed, evaluated, and implemented corporate compliance plans for hospitals and clinics. She leads the pharmacy consulting team in advising clients through complex pharmacy regulations and guidelines including 340B, Medicare/Medicaid billing, and HIPAA compliance.