Pharmacy Release Of Patient Records Held Actionable
Court case finds duty NOT to disclose
Published Jan 30, 2006
A federal court in California dismissed a plaintiff’s claim that a pharmacy released his prescription records to his employer in violation of the Health Insurance Portability and Accountability Act (HIPAA), finding no private right of action. But the court refused to dismiss plaintiff’s claims based on negligence and invasion of privacy.
Plaintiff Ron Poli worked for defendant Mountain Valleys Health Center as a physician assistant and nurse practitioner. Plaintiff and other physician assistants often received prescription recommendations from doctors, transmitted the prescription to a pharmacy, and had the prescription filled for personal use.
Poli on one occasion told a doctor he was taking his girlfriend’s Xanax because he was depressed. The doctor sanctioned the use so plaintiff called defendant Rite Aid pharmacy and told them the doctor recommended use of Xanax. Rite Aid then supplied plaintiff with twenty Xanax pills. [unclear whether a representation was made of a prescription entry]
Poli was subsequently stopped by a police officer and prescription Xanax was found in the car. The sheriff’s office conducted an investigation and requested plaintiff’s medical records from Mountain Valleys. Mountain Valleys did not have any records on plaintiff so they called Rite Aid and obtained plaintiff’s prescription records. [Under HIPAA, this request would not be sufficient to authorize release of this information even if the clinic had them. To obtain them and then release them would clearly be an aggrivated HIPAA violation for which the clinic could be cited for fined -- just not sued according to the court]
Plaintiff was ultimately terminated. He then sued Rite Aid alleging it wrongfully released his records and failed to comply with the HIPAA and asserting state law claims. Rite Aid moved to dismiss.
The U.S. District Court for the Eastern District of California dismissed plaintiff’s HIPAA claims. The court agreed with defendant that plaintiff cannot maintain an action for violation of HIPAA because the statute contains no private right of action.
The court next turned to plaintiff’s negligence claims. In order to prove negligence, a plaintiff must allege four elements: duty, breach, proximate cause, and damages, the court noted.
The Court found that the Plaintiff had alleged all of the necessary elements -- which in effect confirmed the Plaintiff's position that the pharmacy has a duty to require a proper subpoena or court order before releasing the information.