HIPAA privacy and security officers might not remember his name, but they’ve no doubt felt the ripple effects of what Neal F. Eggeson, and others like him, have achieved. Eggeson, a solo practitioner in Fishers, Indiana, is the attorney whose client won $1.8 million after a Walgreen Co. pharmacist illegally accessed her records.
The Walgreen case was the second of this type that Eggeson successfully brought alleging a HIPAA violation—despite the fact that the law permits no private right of action. In 2010, after a six-year legal battle, he won $1.25 million against a medical practice after a patient’s HIV status was entered into a court document seeking payment for a $326 bill.
Successful privacy cases remain rare, but they do occur. Just last year, borrowing similar legal strategies, a California man in July won a $1 million award against a psychiatrist who thought he was suicidal and told his boss, which led to loss of employment.
Eggeson’s been out of the news since the Walgreen case, but that doesn’t mean he has not been busy. Previously an appellate attorney, today privacy cases comprise his entire practice. But Eggeson hasn’t had to go to court and is, instead, reaching settlements for victims of privacy breaches.
Each year, hundreds of people who believe their privacy rights have been violated contact Eggeson, and he keeps an active case load of 30, all on contingency. As such, he has perhaps a rare if not unique perspective to share with covered entities and business associates who don’t want to get a call from him or similar attorneys.
In this first part of a Q&A with RPP, Eggeson discusses the significance and background of the two cases for which he is best known, personalizing in concrete terms some of the harms that can result when privacy is violated, a concept that might be somewhat abstract for HIPAA officials. Among the surprises: Eggeson offered to settle his first case for $10,000, but the medical practice turned him down. And also of note: taking appropriate actions after a breach can thwart damages.
Attorney Offers View From Trenches
In part two of the Q&A, to appear in a subsequent issue of RPP, he reviews what he has learned about both the problems and solutions to ensuring patient privacy. Eggeson also makes a plea to the Office for Civil Rights to do a better job of explaining to patients—and providers—what HIPAA covers.
Tell us how you got started handling medical privacy cases.
Around 2004, a friend-of-a-friend-of-a-friend contacted me about a medical privacy issue. He was HIV positive, and he had been sued in a collections matter over an unpaid medical bill. And as part of the court filing in the collections case, the complaint appended a document to the end of the form, which read: “patient last diagnosis—HIV.” I got the impression that he had contacted a number of attorneys throughout my state trying to get someone to represent him. But the issue that he kept running into was everyone understood that HIPAA does not create a private cause of action. So, when the attorneys would go and research whether they could do anything for him, they would come across that piece of information, and everyone would turn him down. I started looking into it, and I was unwilling to accept that there was just nothing that could be done in that circumstance. From that I came up with the idea that, okay, even if you can’t sue under HIPAA directly, that doesn’t make it irrelevant; you can still sue for medical malpractice and say that the standard of care is defined by HIPAA.
You took his case, sued, and won.
Yes. It was 2010 when I got the verdict for that gentleman; we got $1.25 million for him. To the best of my knowledge, that was the first seven-figure medical privacy verdict in the country. The case was M.O. vs. Internal Medicine Associates Inc., out of Bloomington, Indiana.
The verdict wasn’t appealed. Why do you think that was?
It was not; that’s why it probably did not receive as much attention as the Walgreen case did. It was a strategic decision on their part. I agreed to waive a certain amount of interest on payments in exchange for them agreeing not to fight me on it. But it got enough attention in Indiana that I started receiving inquiries on privacy matters exclusively. And that’s how the Walgreen case came in the door, very shortly after the verdict in the M.O. case.
Were you surprised that it took that long to be resolved, and did you recognize, at the time, that it could be a significant verdict in terms of the evolution of medical privacy litigation?
To be perfectly candid, had I known at the beginning that case was going to take six years from beginning to end, I don’t know if I would have been as motivated to get involved as I was. It kept going and kept going. And I understood at the outset that I was out on a limb, because there was no other authority or precedent out there saying that you could use HIPAA in the way that I was trying to use it. Because of that, I offered to settle for $10,000 in the very, very early months, but they were not interested in talking to me.
Why did it take so long?
In Indiana we have a protective system set up for medical malpractice defendants where we have to go through a panel review process before we’re allowed to proceed in court. The panel review process itself will involve discovery and depositions and document exchange. I understood by the time we were done with the medical review panel process that that case was going to go to trial.
Is that still the same process today?
Yes, Indiana still requires the use of medical review panels in medical malpractice cases. The real question, though, is whether a privacy breach is “medical malpractice” the same way that a botched surgery or missed diagnosis is. When I filed M.O.’s case, I assumed it was. But in recent years, Indiana courts seem to have reached consensus that privacy breaches are not medical malpractice, so I’m no longer required to go through the panel process.
How did you know that trial was inevitable? Didn’t the review find for the patient?
Internal Medicine Associates remained unwilling to discuss settlement even after the review panel found, unanimously, in favor of the patient.
You had concerns about going to trial given this was a new area of law.
Every step of the way I understood that there was a better than 50-50 chance that this case could get overturned on appeal if they chose to appeal it because, again, I was out on a limb without any precedent to back me up.
How did the jury come up with the $1.25 million award? Was that an amount you recommended?
I asked them for slightly more than that, and the jury compromised; that would be my guess. I think the sympathy factor for my client was extremely high. He had done nothing wrong. This is something that had just hit him out of the blue. He had spent his entire life protecting this particular secret from everyone in his life except for his mother, as I recall. Having this posted in the public square, so to speak, in such an egregious way, captured the jury’s imagination. If it could happen to someone like this who had been so careful and was so diligent about crossing all of his t’s and dotting all of his i’s, then it could happen to any of us. Any of us could lose our deepest, darkest secrets.
How did you feel after winning the case?
I felt vindicated. That was easily the longest, most taxing case I had ever handled. At six years, it lasted twice as long as any other case I had ever handled. And six years of costs and expenses add up—those are not insignificant numbers, especially for a solo-practitioner. I don’t want to make it about me, because the reality is for M.O., it changed his life. It enabled him to move out of the small-town community. It enabled him, as I understand, to even record an album or two. I’m not really clear on the details of where he ended up, but he did not stick around here long. And I think he was pleased that this money opened certain doors for him.
And he was able to maintain his anonymity throughout the trial? Even when he testified?
What was the significance of the verdict or the precedent it set?
Because it didn’t go up on appeal, it really didn’t carry any precedential value. What it did was signal to attorneys and to patients around the state that this is something that juries are going to take seriously, that medical privacy is going to be prioritized. And the value of medical privacy is something that an average juror is going to be able to understand…a new door had been opened. I think it was significant.
And it had an impact on your practice?
After that, almost all of my intake calls became about medical privacy. I’m averaging about 350 intake calls a year. About 30% are from Indiana. These are 350, give or take, medical privacy violations from around the country that people contact me about every year. I would say I accept about 1% of the calls I take each year. I am not licensed in other states.
How do you decide which cases to take?
For out-of-state cases, there have to be extremely egregious violations, something very clearly problematic with clear, demonstrable consequences. I only carry a caseload of 20 to 30 at any given time; frankly, it’s just a question of bandwidth. I’m a two-person operation, me and a part-time legal assistant. There’s only so much I can do.
Are these all legitimate cases, legally speaking?
Everyone who contacts me feels that he or she has a legitimate case. Whether they’re right about that is another matter. I would say there’s a lot of confusion amongst laypeople as to exactly what HIPAA does and what it accomplishes. Most people, when they say HIPAA, it’s a synecdoche for the privacy rule, which only applies to your medical providers, right? So, if your employer starts spreading your medical information, that probably isn’t a HIPAA issue. Whether they have actually been wronged in some way, I would say almost all of them are correct about that. Whether it’s a medical privacy issue that I can help them with as opposed to an employment issue or an ADA [Americans with Disabilities Act] or something like that is another matter.
But they also could presumably bring a state-based case, correct, using a state privacy law versus HIPAA?
Yes, some states, such as California, have extraordinary state statutes. Indiana not so much. Many states are creating these private causes of action all by themselves. Some people won’t have to go through the rigmarole that I had to go through in creating a cause of action out of medical malpractice that might not otherwise have existed under HIPAA.
Let’s talk about the Walgreen case. Here a woman’s ex-boyfriend was dating a pharmacist who looked into her prescription file and then shared it with him. He later told her he knew she had stopped taking birth control, which had led her to having their son. And he threatened her with going public to the point that she dropped her paternity claims. How did that come to you?
As I said, after the 2010 verdict in the M.O. case, my intakes on privacy calls just skyrocketed. I received the call from Abigail Hinchey probably within six months of that verdict being reported.
Did you know immediately that it could be a good case, an important case?
I understood its potential. We sued Walgreen and the pharmacist. I will say that I was not overly excited about it, right from the get-go. It took some coaxing from my wife to convince me that this—if it were going to last for six years, like the M.O. case—might be worth that investment.
I intentionally chose not to sue the ex-boyfriend. Under the law, the ex-boyfriend has no legal obligation to keep Abigail’s secrets—only the pharmacist and the pharmacy are bound by HIPAA to keep information confidential. As soon as the pharmacist shared the information with the boyfriend, nothing stood in the way of the boyfriend doing whatever he wanted with that information, including telling others if he chose to do so. Yes, the boyfriend was just as much of a villain here as the pharmacist, but there’s no law against being a jerk.
My concern was in selling this to the jury. The jury would be confronted with the fact that, as egregious as the facts were, as clearly as my client’s privacy had been violated, I would be asking them to reward her for having gotten pregnant on purpose. And I worried that I would not be able to get past that in the eyes of the jury to make them feel sympathy for her.
Why didn’t the case settle?
Walgreen was adamant that they had done everything in their power…they had trained this employee correctly, and so they were convinced that they were going to win or prevail on appeal. And whether that was just bluster or a belief that was genuinely held, I never fully knew. They just never saw much value in the case. They sent the pharmacist home for the rest of the day on the day that my client complained. The report made it to Walgreen’s internal complaint people. But that was the extent of it.
What do you think most hit home with the jury?
One of the prime motivators for that jury was the fact that the pharmacist in that case had not been disciplined, had not been fired. They hadn’t done anything to restrict the pharmacist from future access to the patient’s file, and I think the jury was motivated to punish Walgreen because of that.
Have things changed since then?
I’m speculating here, but I believe health care organizations around the country took notice of the verdict. I think it showed health care providers that appearance is important to juries—that if you appear not to care all that much when your employee does something wrong, juries will hit you hard for appearing indifferent. Before Walgreen, almost every case that crossed my desk involved wrongdoers who were still working for their employers. Since Walgreen, it is extremely rare that I encounter a case where the employee isn’t fired the minute the health care provider learns there has been a privacy breach.
The punishing motivation has largely been stripped from most of the cases I have. So, if there has been a change, that is the one thing I have seen.
This case was upheld on appeal, and the Indiana Supreme Court declined to hear it. Can you discuss some other significant aspects of the case?
The primary issue for which it is cited is the inquiry that courts are supposed to go into in deciding whether someone is acting within the scope of their employment or not. Every health care system, every employer, when an employee does something wrong, is going to say, “Well, but we didn’t want our employee to do that. And we have written policies against that, and we trained them not to do that. So we shouldn’t be held responsible for it. This is a rogue employee violating all of our rules. It should be on him or her. It shouldn’t be on us the employer.”
In Walgreen’s case, we spent a great deal of time, and the appellate opinion spends a great deal of time, discussing that. Just because the employee violates your rules or your handbook doesn’t necessarily remove his or her conduct from the scope of employment. You may still be responsible if certain factors are satisfied.
Like, if the employee is doing something similar or of the same general nature as his or her ordinary job duties, or if it’s happening using your equipment, or if it’s happening on shift, that’s something that may factor in. And so, in Indiana anyway, the Walgreen decision is cited mostly for an examination and exploration of the different factors that go into that inquiry.
It also is cited periodically for determining when something is public. In suing for privacy violations, there are different causes of action; it isn’t always medical malpractice. For example, in the Walgreen case, it wasn’t medical malpractice, because in Indiana, pharmacies are not covered under our state’s medical malpractice act. I had to pursue a common law cause of action for invasion of privacy, and there are certain limitations and restrictions on that. Every state recognizes invasion of privacy in some form, but they all treat it a little bit differently. In Indiana, we had, up until Walgreen, a pretty restrictive interpretation of just how public did this information have to be before we’re going to let you sue over it.
If it was just found out by one of your coworkers, we may not let you sue over that. But if it was posted in a shop window or posted in a public record like the M.O. case, then we will allow you to sue. In Walgreen, it set a precedent in our state that even if it is only disclosed to one person, if you have a special relationship with that one person, like for example, if that’s the father of your child, we are going to let you sue over that.
We understand the difference between sharing that information with a stranger on the street—someone you don’t know—and sharing that information with the father of your child or with your mother or with your spouse or with your child. We will allow those cases to move forward. Those are the two precedents for which Walgreens is cited.
Part two of this interview will appear in the March issue of RPP.