Sunday, December 21, 2014
It's been almost a year since the publication of the HIPAAA Omnibus Rule. Since then then the regulatory mavens have been quiet. And that's not surprising. Solutions for our contemporary health privacy challenges such as big data and information collected by mobile apps generally lie outside the scope of HIPAA. In the interim some state courts have been showing surprising vitality in filling HIPAA’s remedial gap, the absence of a private right of action.
In Walgreen Co. v. Hinchy, 2014 WL 6130795 (Ind. Ct. App.), Withers, the defendant's employee-pharmacist, viewed the prescription records of the plaintiff-customer. Withers then divulged the information she learned from those records (including that the plaintiff had failed to fill her oral contraception prescription) to her husband, the customer’s ex-boyfriend and the father of the plaintiff’s child. Plaintiff brought breach of privacy claims agains the pharmacist and alleged both vicarious liability and direct negligence against the employer pharmacy chain. The jury returned a verdict for $1.8 million.
Health law teachers spend an inordinate amount of time torturing students with one aspect of respondeat superior law--whether a hospital is vicariously liable for a non-employee physician. In that context we flit easily between the arcane elements of control, non-delegable duty, estoppel and apparent agency. Seldom, however, do we deal with the "other" doctrinal prong of respondeat superior, whether the agent/employee committed the tort within the course of employment.
Cases like Hinchy are legion as provider employees dig into records for their own private, dubious purposes. Recall, for example, the well-known case of Yath v. Fairview Clinics, N.P., 767 N.W.2d 34 (Minn. Ct. App. 2010). While it is possible, though not easy to hold the employee liable at common law, it's tricky to extend that to employer responsibility. This is because such employees are almost always going to be committing intentional torts in violation of internal (and HIPAA) privacy rules and will tend be on a "frolic" of their own. However, the appellate court in Hinchy affirmed the jury verdict. Here is the key passage:
Withers was authorized to use the Walgreen computer system and printer, handle prescriptions for Walgreen customers, look up customer information on the Walgreen computer system, review patient prescription histories, and make prescription-related printouts. Withers was at work, on the job, and using Walgreen equipment when the actions at issue occurred. [Plaintiff] belonged to the general category of individuals to whom Withers owed a duty of privacy protection by virtue of her employment as a pharmacist. The fact that some of Withers's actions were authorized, or incidental to authorized actions, or of the same general nature as authorized actions, precludes summary judgment... whether Withers was acting in the scope of her employment was properly determined by the jury rather than as a matter of law by the trial court.
Hinchy did not address the plaintiff’s direct claims against the pharmacy chain for negligent training, negligent supervision, negligent retention (the first of which the trial court had rejected). No doubt they will be further explored by future plaintiffs in these types of actions. For now, Hinchy sharply narrows the employer-defendant ‘frolic’ argument in cases where the health care provider employees either were “incidental to authorized actions” or were “of the same general nature as authorized actions.”