Hannah Kaufman Joseph (Attorney Profile)
Marc A. Menkveld (Attorney Profile)
Katz & Korin, P.C.
334 N. Senate Avenue
Indianapolis, IN 46204
More info on the firm’s Blog, Facebook, and Twitter

---

On November 14, 2014, the Indiana Court of Appeals upheld a $1.44 million jury verdict against Walgreen Company (“Walgreen”) for a pharmacist’s breach of privacy obligations. [1]. The opinion began, “[i]n this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client’s ex-boyfriend.” [2]. That brief summary of the case’s fact pattern provides the foundation of what ultimately led to a large jury verdict against Walgreen, derived solely from the acts of its employee.

Abigail Hinchy contacted her local Walgreen after becoming suspicious that a Walgreen’s pharmacist, Withers, accessed her prescription history without authorization and shared it with Hinchy’s ex-boyfriend, whom Withers was dating. [3]. Walgreen’s internal investigation revealed that “(1) a HIPAA/privacy violation had occurred, (2) [the pharmacist] had viewed Hinchy’s prescription information without consent and for personal purposes, and (3) Walgreen could not confirm [whether the pharmacist] revealed that information to a third party.” [4].

A few months later, Hinchy sued Walgreen and the pharmacist under multiple legal theories, eventually proceeding to trial on two theories of direct liability against the pharmacist: professional malpractice and public disclosure of private facts. [5]. Walgreen remained a defendant under the theories of negligent retention and supervision and vicarious liability—a theory in which an employer may be held liable for the torts of its employee that fall within the scope of employment. [6]. At the close of trial, the jury returned a verdict of $1.8 million, allocating 80% of the damages to Walgreen and Hinchy jointly. [7].

As almost certainly anticipated, Walgreen appealed on several grounds. Among other issues raised, Walgreen appealed the denial of its motions for summary judgment and directed verdict. [8]. It argued that Hinchy’s claims for vicarious liability should not have been presented to a jury, because the pharmacist’s wrongful actions did not occur within her scope of employment. [9]. The Indiana Court of Appeals disagreed, relying upon the well-settled principle that “conduct is within the scope of employment when it is of the same general nature as that authorized, or incidental to the conduct authorized.” [10]. The pharmacist was authorized to use Walgreen’s computer system, review prescription histories, and make prescription-related printouts. [11]. The wrongful acts against Hinchy occurred while the employee was on the job, using Walgreen’s equipment, and engaged in conduct that was of the same general nature of her usual job duties. [12].

Based on these observations, the Court concluded that “Withers’s actions were of the same general nature as those authorized, or incidental to the actions that were authorized, by Walgreen.” [13]. Thus, Walgreen was on the hook for its employee’s breaches of privacy, “which attaches via the liability of Withers for her negligence/professional malpractice.” [14].

Hinchy follows a survey conducted by security firm, CloudEntr, which revealed that the majority of organizations view their employees as the biggest threat to cybersecurity. [15]. Of the IT professionals who responded to the survey, 77% said that employees are the single weakest link in the security infrastructure. [16]. The 77% figure is an average of responses received from IT professionals that range from 72% for small firms (20-49 employees) and 85% for medium-sized firms (250-499 employees). [17]. Employees are perceived as most problematic in industries described as “public” (81%) and “non-profit” (84%). [18].

While Hinchy involved what can be described as rather sensational facts, CloudEntr’s senior vice president reportedly explained that “the threat is not seen necessarily as being the result of nefarious behavior, but rather sloppy habits, like reusing passwords or writing them on paper and carrying them in your wallet.” [19].

While factually interesting and legally important for employers who are (justifiably) concerned about liability for their employees’ foolish choices while on the job, this case also demonstrates a key trend in litigation involving HIPAA related privacy issues.

On its face, the requirements of HIPAA appear to be only tangentially related to Hinchy. However, that nexus actually forms the basis of a novel way plaintiffs are utilizing the requirements of HIPAA to recover for breaches of their private information covered by duties established under HIPAA. It is well settled that there is no private cause of action under HIPAA and that HIPAA generally preempts state law. [20].

Creative plaintiffs have not been deterred, finding a basis to establish liability against defendants in the stringent privacy requirements of HIPAA. Defendants previously only had to fear claims or investigations by the Department of Human Services for HIPAA violations, but now, many courts are recognizing HIPAA as the metric for evaluating the standard of care for privacy obligations.

It should be noted that arguments that HIPAA preempts state law claims for privacy violations will be wholly ineffective; there is substantial precedent in varying jurisdictions that HIPAA does not preempt causes of actions arising under a codified state law or pursuant to common law. [21].

As seen in Hinchy, plaintiffs can successfully utilize a HIPAA violation as the proof of an underlying common law or statutory claim, such as breach of privacy, breach of fiduciary duty, defamation, negligence or negligence per se. Further, a federal statute, which does not provide a private cause of action, may serve as an element of a state law claim. [22].

Applying that holding to similar facts, numerous courts have found that HIPAA violations may serve as the predicate act to state common law claims for privacy violations. [23]. Hinchy now follows this line of cases consistently recognizing that HIPAA can establish the standard of care owed to plaintiffs, and inter alia, that a violation of HIPAA can establish liability for duties arising under state law.

The intriguing new angle to the potential exposure for HIPAA violations is that Hinchy recognizes that such acts can fall under respondeat superior theories. Without being hyperbolic, this holding should make employers dealing with HIPAA protected information very nervous. In the past, employers were primarily concerned with demonstrating HIPAA compliance by going through the motions of best practices and hoping that a breach would not catch the ire of the federal government. But now employers have a vested interest in taking their risk management to another level because, under Hinchy, even the most sui generis privacy breach could result in employer liability given the right plaintiff.

Following Hinchy, employers (and more specifically, HIPAA-covered entities) may be exposed to an onslaught of high-dollar lawsuits resulting from their employees’ breaches of privacy. The appellate dust has not yet settled, and Walgreen is sure to seek transfer to the Indiana Supreme Court. But in the meantime, Hinchy is making waves.

---

[1]. Walgreen Co. v. Hinchy, — N.E.2d –, 2014 WL 6130795, at *1 (Ind. Ct. App. Nov. 14, 2014).

[2]. Id.

[3]. Id. at *2.

[4]. Id.

[5]. Id. at *3.

[6]. See, e.g., 12 JOHN BOURDEAU, IND. LAW. ENCYC. EMP’T § 124 (2014).

[7]. Walgreen Co. v. Hinchy, — N.E.2d –, 2014 WL 6130795, at *3 (Ind. Ct. App. Nov. 14, 2014).

[8]. Id.

[9]. Id.

[10]. Id. at *5 (quoting Celebration Fireworks, Inc. v. Smith, 727 N.E.2d 450, 453 (Ind. 2000)).

[11]. Id.

[12]. Id.

[13]. Id.

[14]. Id.

[15]. See generally The State of SMB Cybersecurity in 2015, CLOUDENTR, https://app.box.com/2015State-of-SMB-Cybersecurity?src=undefined (last visited Dec. 4, 2014).

[16]. Id. at 5.

[17]. Id. at 12.

[18]. Id. at 13.

[19]. Matt Hunter, Small Biz Think Workers are Weak Cybersecurity Link, CNBC (November 13, 2014, 7:00 AM), http://www.cnbc.com/id/102178391#infosec.

[20]. Anderson v. Carefree of Colorado, No. 3:12-cv-812, 2014 WL 2468721, at *8 (N.D. Ind. June 2, 2014); Hamilton–Hayyim v. Jackson, No. 12-cv-06392, 2013 WL 3944288, at *9 (N.D. Ill. July 31, 2013) (citations omitted); see also Dodd v. Jones, 623 F.3d 563, 569 (8th Cir. 2010).

[21]. See R.K v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715 (W. Va. 2012); Yath v. Fairview Clinics, 767 N.W.2d 34 (Minn. Ct. App. 2009); Baum v. Keystone Mercy Health Plan, 826 F.Supp.2d 718 (E.D. Pa. 2011); Biddle v. Warren Gen. Hosp., 715 N.E.2d 518 (Ohio 1999).

[22]. Merrill Dow Pharm., Inc. v. Thompson, 478 U.S. 804 (1986).

[23]. See I.S. v. Washington Univ., No. 4:11-cv-235, 2011 WL 2433585 (E.D. Mo. June 14, 2011); Harmon v. Maury Cnty., Tenn., No 1:05-cv-0026, 2005 WL 2133697 (M.D. Tenn. August 31, 2005); R.K., 735 S.E.2d at 715; Doe v. Southwest Cmty. Health Ctr., No. FSTCV085008345S, 2010 WL 3672342 (Conn. Super. Ct. August 25, 2010).