Government action and fines are consequences of failure to comply
with HIPAA and Federal & State privacy laws, but private party action has
also been successfully litigated using
HIPAA, despite the fact that there are
no direct allowances for private cause
of action in the law.
Private Party Litigation: HIPAA may
be the Yardstick
In 2013, an Indiana jury awarded $1.44
million to a customer as a result of a
violation of the Health Insurance Por-tability and Accountability Act (HIPAA)
by a Walgreens pharmacist. The pharmacist’s husband had an affair with a
woman, a customer of Walgreens, that
resulted in a child. The woman (now
ex-girlfriend) was seeking child support. The pharmacist suspected her of
giving her husband a sexually transmitted disease and accessed her confidential medical history. The husband
then sent a text message to the ex-girlfriend referencing her confidential
medical information in an attempt to
blackmail her to stop seeking child
support. The suit by the ex-girlfriend
accused Walgreens of negligence in
its supervision of the pharmacist.
Walgreens argued that the pharmacist’s illegal acts weren’t authorized
by the company, the pharmacist admitted she was aware of the strict privacy
policy and knew she was violating
it. Walgreens still lost. Damages were
split 80 percent company responsibility, 20 percent pharmacist responsibility.
‘I did not sue Walgreens for violating
HIPAA, I sued Walgreens for negligence, but I used HIPAA to prove that
Walgreens was negligent. Similarly,
I did not sue the pharmacist for violating HIPAA, I sued her for professional malpractice, but I used HIPAA
to prove that what she did fell below
the commonly-accepted standard for
– Neal F. Eggerson, Attorney
Privacy Breaches and Lawsuits
Privacy breaches are increasing and
the laws around them have evolved
substantially. Detailed requirements
mandated by law are being used not
only to levy fines, but to support
private party lawsuits. You and your
clients may or may not be subject to
HIPAA, but it is in your best interest
to act as if you are. You may be held
accountable to this standard. You are
almost certainly subject to other privacy laws and lawsuits where HIPAA
may be the yardstick against which
your actions or inactions are measured. This is all separate and in addition to your ethical responsibilities.
Complying with the law here is
much harder than most assume. Consider this from the FBI:
“The biggest vulnerability was
the perception that their current
perimeter defenses and compliance
strategies were working when clearly
the data states otherwise,”
– FBI Memo, April 17, 2014.
Top 10 Security & Compliance
Guidelines for Your Firm:
1. Assess risks in maintaining privacy and
security, then update and/or establish
policies and safeguards to ensure everyone who touches your data (including
subcontractors and their subcontractors)
will keep information confidential and
your environment secure.
2. Get assurances from employees and contractors in writing that they will follow
adequate procedures. Simply getting a
Business Associate Agreement (as required by HIPAA) is not sufficient – be sure
vendors actually understand and meet
3. Designate a single individual of authority who is ultimately responsible for your
firm’s security & privacy.
4. Ensure your policies and procedures support the concept of minimum necessary
use and disclosure.
5. Communicate with your clients and get
consent for whatever you may be doing
with their information.
6. Ensure you have a system in place to
train and manage your employees
and how to respond.
7. Evaluate any instance where firm data is
not encrypted. Encryption helps protect
data and often provides safe harbor for
data breach notification.
8. Engage a qualified company to review
your policies and procedures.
9. Assess risks and opportunities with your
clients regarding their compliance with
10. Consider consequences for third-party
injury as a result of failure to comply.
The answer increasingly appears to be yes.
Can a HIPAA Violation Result
DAVE KINSEY, PRESIDENT, TOTAL NETWORKS
As President of Total Networks, Dave is responsible for providing strategic
information technology assistance to many Arizona law firms. Dave’s team
is the first and only Arizona IT company to earn the Comp TIA Security
Trustmark, certifying that Total Networks meets or exceeds security best practices.
Have a question for the IT Expert? Call or email Dave directly at