You know what I realized today? Another reason you might want to use proper medical data encryption to ensure HIPAA compliance is because you want to ensure that you don’t waste time (and money) appealing what appears to be a boneheaded decision by a jury.
According to indystar.com, a jury of six deliberated for four days and came to the conclusion that Walgreens should pay an aggrieved plaintiff the lofty sum of $1.44 million dollars. The decision is unusual because Walgreens didn’t do anything wrong (at least, as far as I can see).
Pharmacist Decides to Break All the Rules
According to indystar.com, a Walgreens pharmacist looked up and “divulged” the information pertaining to her husband’s former girlfriend. It’s not clarified why, although the implication is that child custody issues were at the center of it (the husband and the ex-girlfriend had a child together).
Digging patient data and giving it to a third-party is an obvious HIPAA breach, and under most circumstances it would deserve some kind of punishment. Furthermore, if Walgreens hadn’t made this abundantly clear to the pharmacist (which one wonders why the company would have to, as I’m pretty sure pharmacists have to take an ethics course before they’re awarded their degrees and know not to engage in such behavior), the company would also have to pay its just dues.
The thing is, it looks like Walgreens already did pretty much all it could do (my emphasis):
Sorry, but how can Walgreens possibly be in the wrong? Well, actually… I guess if the pharmacist has a history of such egregious behavior in the workplace, Walgreens would be responsible for continuing to employ her. But this does not appear to be the case.
Obviously, Walgreens will be appealing the decision. In some ways, they cannot afford not to. According to surveys, up to 30% of data breaches at any organization can be traced back to employees. If Walgreens accepts this judgment, it’s setting up a precedent that will lead to lawsuit after lawsuit where the company is morally in the clear.
What if this was a Lost Laptop Taken Against Company Policies?
The above case raises questions, though. Let’s say that a company has a computer user policy that prevents employees from downloading sensitive data to laptop computers, or taking said computers outside the workplace.
Lo and behold, an employee downloads sensitive data to his company-issued laptop and loses the device while he’s on a conference trip. Is the company not at fault? After all, the parallels to the above case are exact. And yet, there’s a part of me that feels that the company should have known better.
What’s causing the cognitive dissonance? Possibly, it’s a matter of expectations: while we don’t expect people to download information to laptops, we know it’s going to happen. Indeed, we know it happens. Often enough that it can account for up to 30% of data breaches.
It happens so often that we kind of expect the companies to expect it, too. Hence the call for the use of encryption software on any computers and external storage devices that are used in the workplace.
Pharmacists looking up patient information and using it for something other than medical prescriptions? That’s uncalled for and we expect better from anyone in the medical profession (especially those who are not just holding a clerical or administrative position, but one who is directly in charge of human health).
Still, you can see how it appears as if there are double standards. Will it stay this way? Or will the US courts opt to become strictly logical and penalize companies for employees’ misdeeds regardless of what “expectations” are?
Related Articles and Sites: