The facts of the case are a mix of pharmacist privacy violation and good old fashioned baby mama drama. The trial happened awhile back, and the Court of Appeals upheld the verdict.
Short version of facts:
Plaintiff got her birth control filled at Walgreen for years. Peterson was having sex with her off and on. At some point, Peterson starts dating a Walgreen pharmacist named Withers. Plaintiff gets pregnant with Peterson’s kid, and Peterson also contracts herpes. Peterson lets the pharmacist/girlfriend Withers know that he may have exposed her to herpes. Withers goes digging into Plaintiff’s medical record. Pharmacist/girlfriend says she didn’t share the information with anyone, but not long after, Peterson has an email exchange with Plaintiff bitching about how she never even got her birth control refilled in July and August. Plaintiff files suit against Walgreen and Withers for malpractice. The jury found her damages to be $1.8 million and found Walgreen/Withers jointly responsible for 80% of the damages.
I’d like to see how the jury went about measuring damages in this case. Generally, I trust juries when deciding questions of liability. I’m frequently more skeptical of the math they do to calculate damages when they do find liability.
How angry are we + how much we like the plaintiff + how much we hate the defendant = damage verdict
It does seem like a high damage charge. About the lifetime earnings of an average American simply for violating privacy. And what role did Walgreen play in this … aside from providing “deep pockets”.
I have spent a lot of my career with HIPAA. I also teach online health law classes to nurses and other healthcare professionals. Many of my students write about the trial court version of this case. My response is two-fold.. I do not see liability for Walgreens. Secondly, it is virtually impossible to prevent intentional HIPAA violations. In organizations like pharmacies, the information must generally be available to everyone to make the operation viable. Big providers, however, may limit use sophisticated access controls to limit access to only those with a need to know the PHI.
I only read the case once. I should give it an indepth look. Still, I am suspicious of respondeat superior in a case like this where there is so much HIPAA training combined with an intentional and malicious disclosure.