Employer held responsible for employee’s HIPAA privacy violations
On November 14, 2014, the Court of Appeals of Indiana found a pharmacist and her employer liable for the damages sustained by a customer as a result of the employee’s HIPAA breach.
The pharmacist breached one of her most sacred duties by viewing the prescription records of a customer without consent and for personal purposes and divulging the information she learned to the client’s ex-boyfriend. The customer filed a complaint against Walgreen and the pharmacist. Against the employee, Plaintiff filed claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. Against Walgreen, Plaintiff filed claims seeking liability for the counts she filed against the employee by way of respondeat superior, as well as direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice.
The trial court granted the Plaintiff claims for negligent training (against Walgreen) and invasion of privacy by intrusion (against the pharmacist), awarding $1.44 million in damages. Employer and employee were held jointly responsible.
Walgreen appealed the decision arguing, among others, that the trial court erred in denying its motions for summary judgment and directed verdict. Walgreen contended that it was entitled to judgment as a matter of law on Plaintiff’s claims for respondeat superior and negligent retention and supervision.
The Court of Appeals held that the trial court did not err in denying Walgreen’s summary judgment and directed verdict: vicarious liability is imposed upon an employer under the doctrine of respondeat superior “where the employee has inflicted harm while acting ‘within the scope of employment.’ An employer is not held liable under the doctrine of respondeat superior because it did anything wrong, but rather because of the [employer’s] relationship to the wrongdoer.”
The Court deemed that the pharmacist’s actions were of the same general nature as those authorized by Walgreen or were incidental to those authorized actions. In fact, the pharmacist was authorized to use the Walgreen computer system and printer, to handle prescriptions for Walgreen customers, to look up customer information on Walgreen computer system, to review patient prescription histories, and to make prescription-related printouts. The pharmacist was at work, on the job, and using Walgreen equipment when the actions at issue occurred. Plaintiff belonged to the general category of individuals to whom the pharmacist owed a duty of privacy protection by virtue of her employment.
Court of Appeals of Indiana Opinion is available at http://www.in.gov…