CVS Pharmacy Lawsuit Over HIPAA Breach Survives Dismissal Motion

Pharmacy benefit manager CVS Pharmacy is suing mail service provider Press America, Inc in relation to over an accidental disclosure of 41 peoples’ protected health information.

CVS Pharmacy is under contract to provide a mail-order based pharmacy service for a health plan to which it acts a business associate. Both entities are bound by HIPAA Rules.

CVS Pharmacy completed a business associate agreement with the health plan, and Press America did similar with CVS Pharmacy as PHI was  needed in order to complete the mailings.

CVS Pharmacy argues the HIPAA Privacy Rule was breached by Press America when it mistakenly disclosed PHI to unauthorized people in a mismailing incident.

The disclosure of some plan subscribers’ PHI was an accident, but the privacy breach breached a performance standard in the CVS Pharmacy’s contract with the health plan. By breaching the performance standard, the CVS Pharmacy had to make a payment of $1.8 million to the health plan.

A legal action was undertaken by CVS Pharmacy seeking indemnification from the mail service in lines with the terms of its BAA and common law principles. CVS Pharmacy claims the mismailing arose due to negligence by its subcontractor, and the $1.8 payment was necessary arising from that negligence. CVS Pharmacy believes the breach was completey under the control of its subcontractor.

CVS Pharmacy argued the mail service had to provide a duty of reasonable care and that duty of care was violated. Since PHI was disclosed, by accident, and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to issue notifications to the 41 plan subscribers, which the complainant claims caused affected its reputation.

The mail service wished to have the claim of negligence dismissed, and in its motion to dismiss the legal action, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that necessitated the $1.8 million payment. The mail service also argued that its indemnification provisions were not supposed to cover this type of payment.

However, the federal court opted not to dismiss the CVS Pharmacy’s legal action. The court ruled that the indemnification provisions of the subcontractor were wide in range enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation due to the fact that  it was not a party or third-party beneficiary to the contract.

Financial losses were also experienced due to that negligence, as CVS Pharmacy had to make a large payment to the health plan in addition to covering the cost of sending notifications to the plan subscribers whose PHI was disclosed. Due to these reasons, the motion to dismiss the case was thrown out.