Employer Liability for Employees’ Privacy Violations: What Your Organization Should Learn from Walgreens’ Expensive Lesson (Hint: It Has Little To Do with HIPAA)
You may already have read the scintillating facts surrounding a jury award of $1.44 million (recently challenged unsuccessfully on appeal) against Walgreen Co. following its pharmacist’s alleged inappropriate review and disclosure of patient records. What caught our attention was not so much the lurid details (the pharmacist was alleged to have looked up her boyfriend’s ex in Walgreens’ patient records, apparently to determine whether the ex might have passed an STD to her boyfriend). The more notable development was an employer footing the bill for a large jury verdict even though the employee violated the company’s policies as well as the law. This alert describes how Walgreens was put on the hook for its employees’ misdeeds, and examines whether a similar rationale could be applied in other privacy contexts (not just HIPAA) to create a new trend in employer liability for employee privacy violations. The implications are significant given the relative lack of success plaintiffs have encountered to-date when attempting to prosecute perceived privacy violations in court.
Against the pharmacist, the patient pursued state-law claims of negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion. She sought to hold Walgreens liable through respondeat superior (vicarious liability), and also included direct claims for negligent training, negligent supervision, negligent retention, and negligence/professional malpractice. While the trial judge dismissed the negligent training claim against Walgreens and the invasion of privacy by intrusion claim against the pharmacist, he allowed the other claims to proceed. The jury returned a general verdict for the patient, finding the pharmacist and Walgreens jointly liable for $1.44 million in damages.
The linchpin of respondeat superior is that an employer can only be held vicariously liable for damage caused by an employee if the employee was acting “within the scope of employment” when the injury occurred. When it appealed the jury verdict, Walgreens seized on this factor and argued that the pharmacist’s actions were outside the scope of employment because she clearly violated Walgreens policy. The appellate court disagreed, citing case law holding an employee’s actions are within the scope of employment if those actions are of the same “general nature” as the actions authorized by the employer, even when the employee’s specific actions are against company policy. The court reasoned that the pharmacist’s improper access of the patient’s records was of the same “general nature” as the actions authorized by Walgreens because the pharmacist took the same steps to access the patient’s records as she would have in properly accessing records of other patients. The pharmacist was authorized to use the Walgreens computer system and printer, handle prescriptions for Walgreens customers, look up customer information on the Walgreens computer system, review patient prescription histories, and make prescription-related printouts. The court found that the pharmacist’s conduct in accessing this patient’s records for personal reasons, while against company policy, was of the same “general nature” as the conduct authorized by Walgreens, and therefore at least some of her actions were within the scope of her employment. Since the pharmacist was acting within the scope of employment, the court affirmed that Walgreens could be held liable under respondeat superior.
Acknowledging Walgreens could not be held vicariously liable unless the pharmacist was also liable, the court turned next to the issue of the jury’s verdict concerning the pharmacist. As the jury returned only a general verdict (which does not indicate the specific grounds on which it made its decision), the court speculated on the theory of liability for the pharmacist, and held that the jury could have properly found the pharmacist liable under a general negligence theory. The key factors in a negligence claim are a duty owed to the plaintiff by the defendant, a breach of that duty by the defendant, causation, and damages. To establish the pharmacist owed a duty to the patient, the court looked to a state law requiring pharmacists to hold patient records and information in the strictest of confidences. Finding this statute to clearly establish that the pharmacist owed a duty of confidentiality the patient, the court found it unquestionable that the pharmacist’s actions breached that duty, and that the patient sustained at least some damages as a result. Therefore, the court concluded the jury could properly have found the pharmacist directly liable for the breach of confidentiality, and Walgreens vicariously liable for the breach.
Commentary on this case has largely focused on HIPAA implications, and sometimes the more specific prospect of employer liability for employee HIPAA violations. Importantly, HIPAA was not a factor in the appellate court’s reasoning. Rather, the court looked primarily to state law for privacy expectations and a duty of confidentiality. That distinction creates broader implications for employer liability beyond HIPAA or health care generally.
A multitude of state laws now impose confidentiality, privacy and security obligations. Some are limited to certain professional occupations (e.g., pharmacists, physicians, even <<gasp>> lawyers), but many are more general. For example, many states have enacted requirements to maintain general or specific security measures without regard to industry. In fact, states increasingly read privacy and security obligations into their application of unfair and deceptive trade practices statutes, imposing a duty to maintain privacy and security across sectors and without regard to types of personal information affected.
The Indiana appellate court’s reasoning in the Walgreens’ case clearly suggests that employees owing a statutory duty of confidentiality under state law could be liable for a breach of such duties, and their employers may be vicariously liable for the reasons noted. While some state laws specifically enumerate such duties at the employee level (particularly where a license is held by the individual), it is not clear that distinction made a difference to the court’s rationale, meaning courts applying general privacy or security laws may consider following suit, even if the law does not create duties specifically aimed at employees.
Further, the Indiana appellate court’s broad characterization of what constitutes actions “within the scope of employment” could leave many employers on the hook for large damage awards, even if the underlying employee violation is indisputably against company policy.
While the Walgreens outcome alone may not establish a trend toward more frequent employer liability, it is important to recognize the case may be novel only in the size of the verdict awarded. For example, in 2006, the North Carolina Court of Appeals used similar reasoning to overturn the dismissal of a plaintiff’s negligent infliction of emotional distress claim against a doctor who allegedly allowed his office manager to improperly access the plaintiff’s medical records (Acosta v. Byrum).
What Should You Do?
The Walgreens outcome makes clear that policies, training and other compliance efforts may not indemnify employers against an employee’s breach of confidentiality or privacy. In addition to keeping an eye on further developments that either support or erode this potential liability trend, employers should consider whether broad technical access to systems is necessary and justified. Flat access rights can be necessary, particularly in health care settings where care often trumps privacy as a consideration. However, technical access limitations are the most effective way to demonstrate that employee misdeeds, when orchestrated in violation of systems-based (rather than merely policy-based) access controls, should not be held against the employer because they are clearly outside the scope of employment. Interestingly, the same approach can strengthen employer’s Computer Fraud and Abuse Act claims and can reduce the risk of HIPAA enforcement that may arise from similar facts.