Patient privacy in the pharmacy made the headlines recently when a man sued a large chain drugstore for revealing to his wife that he had a prescription for an erectile dysfunction drug.

The Case

The plaintiff, MF, brought a prescription for eight 100-milligram sildenafil citrate (Viagra) pills into his regular CVS pharmacy to be filled. According to the plaintiff, he gave specific instructions to the pharmacist that he did not want his insurance billed for this prescription and that he would pay with cash. The pharmacist agreed and MF left.

Several days later, MF’s wife called the same pharmacy to check on one of her own prescriptions, and the chatty pharmacy employee on the other end of the phone decided to mention to her that her husband’s Viagra prescription had not gone through the insurance.

The plaintiff is claiming that this disclosure of the erectile dysfunction prescription to his wife caused a breakdown in his marriage. In a lawsuit filed against the drug chain, MF claims that the pharmacy violated his privacy under HIPAA. The lawsuit alleges that the pharmacy employee “without solicitation, improperly informed MF’s wife that his prescription for Viagra was not being covered by insurance.” In the court papers, MF refers to his wife as a “third-party” who had no right to be informed about the drug.

Does MF Have a Case?

The HIPAA Privacy Rule, part of the Health Insurance Portability and Accountability Act of 1996, was enacted to protect personally identifiable health information while allowing the flow of information necessary to provide quality healthcare. It requires covered entities, including pharmacies, hospitals, health plans, and healthcare providers, to treat protected health information (PHI) as confidential.

It’s important to understand that a HIPAA violation does not give rise to a private cause of action to sue. A patient cannot sue for a HIPAA violation. (This misperception is very common in the general public, however).

Patients do have a recourse in the event of a HIPAA violation. A patient can file a complaint with the Department of Health & Human Services (HHS). HIPAA provides both civil penalties and criminal penalties for the mishandling of PHI.  It’s the purview of HHS and states’ attorneys to enforce the penalties and to decide to fine the offender, prosecute or jail the offender (if it was criminal), or to order the entity to institute HIPAA training for employees.

So, if prior legal precedent holds, MF will have a hard time succeeding if he is trying to argue a violation of HIPAA. It is, however, possible to sue and obtain damages for violations of state laws (provided the patient can prove damages).

This case is currently inching through the court system. It may be dismissed or settled before it ever goes to trial (most cases are), but it will be an interesting one to follow.

Your Risks with a HIPAA Violation

If the HIPAA rule is violated, your biggest risk is not getting sued, it is losing your job. The odds of a lawsuit are slim, and when it does happen it is generally the employer (in this case the drug chain) that is sued, not the pharmacist/employee. However, the employee is likely to be fired.

Most large entities – hospitals, pharmacies, medical practices – have strict guidelines about HIPAA and are required to provide some training for employees. Employees are often required to sign documents acknowledging their understanding of patient privacy issues. Breaches of privacy are treated very seriously, and companies will fire employees in order to reassure investigators that the situation has been handled.

Protecting Yourself

In the pharmacy, the best way to protect yourself is to remember to disclose only the minimum amount of information necessary to achieve the purpose of your communication. Never share protected health information. This is where the pharmacy employee in MF’s case when wrong – when MF’s wife called to ask about her prescription, the employee should have answered only that question, and not volunteered any extraneous information.

This “minimum information necessary” holds true if you are calling a patient or leaving them a message to let them know a prescription is ready. It is not necessary to volunteer the name of the medication, its use, or personal information about the person getting it. Always use the minimum information necessary to convey your message.