Friday, January 29, 2016
Pharmacist HIPAA Retaliation Claim Results in 31 Million Jury Verdict
By: Thomas Eden
McPadden was not only an employee but also a customer of Walmart’s pharmacy and she chose to have her personal prescriptions filled at the Seabrook location. In order to be a customer, McPadden provided private and protected health information as part of her Walmart pharmacy patient profile record. In her Federal Court lawsuit, McPadden claimed that in the fall of 2012, another Wal-Mart pharmacy technician at the Seabrook store, accessed her private health information and discovered that she suffered from a serious anxiety medical condition, which the technician then disclosed to other employees of the Seabrook store. McPadden complained and claimed this misconduct violated her privacy rights under New Hampshire law and the Health Insurance Portability and Accountability Act (also known as “HIPAA”).
Prior to that episode, in 2011 McPadden thought there were too many mistakes occurring as a result of the high employee turnover in the pharmacy, so she filed a report of such with the New Hampshire Board of Pharmacy. She also reported her patient safety concerns over the staffing issues to store management.
It so happened that McPadden lost a key to the pharmacy in November of 2012, which she immediately reported to store management. McPadden noted in her lawsuit that male pharmacists were never fired when they lost a key. However, she was promptly fired after 18 years of service rather than given a warning.
Put simply, McPadden’s argument to the jury was that Walmart was guilty of disciplining her more harshly than it did male co-workers and firing her when she complained some of her medical data had been improperly disclosed, and because she acted as a whistleblower to the New Hampshire Board of Pharmacy.
On January 27 a New Hampshire Federal Court jury sided with McPadden and awarded $15 million against Walmart for punitive damages in McPadden's Title VII claims and another $15 million in enhanced damages stemming from a similar New Hampshire Law Against Discrimination claim. She also received 1.2 million dollars for back-and-front pay and damages stemming from those bias claims, HIPAA retaliation, as well as whistleblower and wrongful termination claims.
Common Sense Counsel: This is a scary case for any health care employer who is also a health care provider for some of those same employees. The HIPAA confidential lines can get really blurred so conduct your own thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization on anyone who is also an employee. The HIPAA Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is the first of four required implementation specifications. Next, put in place your Administrative Safeguards, Physical Safeguards and Technical Safeguards, followed by HIPAA Security Training and Compliance Testing. Failure to do so can put you in the crosshairs of 12 angry jurors as they complete the Jury Verdict Form.
Tommy Eden is a partner with the nationwide Management Labor firm of Constangy, Brooks, Smith & Prophete, LLP, advises and defends Employers, Medical Practices and Laboratories on a variety of HIPAA issues. He can be contacted at firstname.lastname@example.org, 334-246-2901 or 205-222-8030 mobile. Blog at www.alabamaatwork.com.