2 Indest-2009-1By Shelby Root and George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule, implemented in 2013, modified HIPAA’s privacy and security rules. However, solutions aimed at health privacy challenges such as data and information collected by mobile apps generally lie outside the scope of HIPAA. To solve this problem, some states are working on a solution to the problem of patients not having a private right of action. One solution is to hold employers liable for privacy torts resulting from a breach of confidential medical information through the legal doctrine of respondeat superior.

Walgreen Co. v. Hinchy.

In the recent case, Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014), Withers, the defendant’s employee-pharmacist, accessed a patient’s prescription profile for personal reasons. The patient, Hinchy, filed claims against Walgreen and Withers for breach of privacy. Hinchy filed claims against Walgreen claiming vicarious liability and direct negligence. A jury verdict of $1.8 million was awarded to Hinchy for breach of privacy in this case.

The Doctrine of Respondeat Superior.

Vicarious liability will be imposed upon an employer through the doctrine of respondeat superior when “the employee has inflicted harm while acting ‘within the scope of employment.'” For an act to fall within an employee’s scope of employment, “the injurious act must be incidental to the conduct authorized or it must, to an appreciable extent, further the employer’s business.” An employer is not held liable because it did something wrong, but rather “because of the employer’s relationship to the wrongdoer.”

Court’s Decision in Walgreen Co. v. Hinchy.

The court pointed out in Hinchy that Withers was authorized to use Walgreen’s computer system and printer, handle prescriptions for customers, look up the customers information on the computer system, review a patient’s prescription history, and make prescription-related printouts. When Withers committed the confidentiality violation she was at work, on the job, and using the company’s equipment. Withers owed the plaintiff a duty of privacy protection by virtue of her employment as a pharmacist. The court concluded that Withers caused harm to the plaintiff while acting within the scope of her employment.

Editor’s Comments.

This case is good law. An employer should be held liable when it places an employee in a position where the employee can injure another. Employers have a separate duty to closely supervise their employees, as well.

Healthcare employers must take precautions to prevent such breaches as occurred in the Hinchy case. Under traditional tort analysis, the employer is in the best position to prevent the injury. Under HIPAA, the employer has a number of additional duties including training its employees properly and securing information.


What are your thoughts on respondeat superior? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


Terry, Nicolas. “Employer Liability for Privacy Torts.” Health Law Professor Blog. (Dec. 21, 2014). From:

Walgreen Co. v. Hinchy, 21 N.E.3d 99 (Ind. Ct. App. 2014). From:


About the Authors: Shelby Root is a summer associate at The Health Law Firm. She is a student at Barry University College of Law in Orlando.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Keywords: Health Insurance Portability and Accountability Act (HIPAA), Walgreen Co. v. Hinchy, HIPAA Omnibus Rule, HIPAA compliance, data security, protected health information (PHI), patient privacy, patient rights, HIPAA violation, privacy, defense attorney, defense lawyer, HIPAA defense attorney, HIPAA attorney, HIPAA lawyer, health law firm, The Health Law Firm

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2015 The Health Law firm. All rights reserved.

S:\Website additions\Blog Blurbs\HIPAA Breach Basis for Tort Actions.wpd