Was this a HIPAA violation?

This happened in the USA, a woman entering a Wal-mart in the night tripped over a large crack in the parking lot. She told the door greeter who told the manager and the manager said someone would call her.

Eventually someone called her from loss prevention, they asked for her name and info and social security number, she gave it to them and they said they would investigate. They called back and said they saw she had picked up prescriptions for metformin from the instore pharmacy, which means she has diabetes which causes vision problems so that is what caused her fall and said she would not be given a gift certificate.

So anyone in the store can view RX records?

Cite, please? Knowing what actually happened helps.

You want my mom’s phone number?:slight_smile:

If the story is accurate, it would almost certainly be a HIPAA violation. IANAL, but you should probably talk to one.

Get a lawyer. Also, diabetes does not automatically cause diabetic retinopathy/diabetic macular edema.

I recommend a lawyer. Also, if you live in a large enough city and don’t mind the publicity, you might want to contact your local TV station’s investigative reporter. Lots of people hate Walmart. Good luck.

A lot going on there: The fall, the investigation, the gift certificate.

HIPPA relates to Protected Health Information (PHI). The law governs how PHI is handled. A Walmart pharmacist has access to PHI as part of doing their job. It sounds like the store manager checked with the pharmacist if the woman had any prescriptions, and then made a diagnosis based on what the pharmacist said, and used that assumption in rendering a decision on the outcome.

That seems like a violation - since the fall should have nothing to do with what medications the woman takes, and it is none of the manager’s business - it is not part of his job to know about people’s medications. The pharmacist should have not provided that info to the manager. My 2¢.

They also did not need her SSN to investigate the incident.

Transaction receipts are probably fair game for any store supervisory staff, although fishing for a way to dodge accountability through patient records is probably going to run afoul of some form of privacy policies that could at least get a bunch of people fired if a letter from an attorney showed up for the manager.

Saying just because your diabetic means you have vision problems is silly and petty not to mention a poor medical interpretation of a given situation unless she really does have serious vision issues.

What meds she is on could very well be a factor, but information like that is not normally available to a retailer. If it came out in court that she was on a med that tended to cause balance issues or impair judgement a fall could be more the fault of the meds than the store.

Since we’re in the zone of wild speculation, it might be that the store manager recognized a known scam. They checked their records and found that it was the seventh time this year that the tripee had an “accident”.

You want to include information like that next time, instead of making it sound like a story you read somewhere?

Right, but the store manager is probably not a physician, so how would he know that said medication could cause dizzyness? It appears the issue was discussed amongst staff not privvy to the woman’s health information as part of their normal jobs (like the pharmacist), and then used that information for a business decision.

That said, I do agree with Tapioca that they probably see this type of thing all too often and that is why it was handled by “loss prevention”. However, I do not think the non-pharmacy staff would be able to have access to pharmacy data, according to the law.

Sounds like a potential violation. I don’t see how the gift certificate comes into play. Did your mom ask for that? Was she told she’d receive one? Did she sign a release to get a gift certificate?

If the privacy notice given to her by the Walmart Pharmacy states that her information will not be shared with anyone outside Walmart without her permission, then she’s probably not got a HIPAA claim, as it sounds like they didn’t violate that. If it says it won’t be shared outside the Walmart Pharmacy, that might be a different thing. I have no idea if Walmart’s pharmacy business is a separate enterprise from the rest of the store, but I know that long ago K-mart’s grocery stores were, so it’s possible.

She told the door greeter in a huff, like you need to fix that parking lot. I think the store manager mentioned something about a gift certificate.

But isn’t HIPAA like FERPA in that it is on a need-to-know basis. Suppose I’m a stockboy at Walmart. Are you saying I have access to her info based on the privacy notice?

It shouldn’t matter for HIPAA purposes what she signed with Wal-Mart. HIPAA is designed to protect personal health and identity information and give access only for purposes of facilitating or providing medical care. Just because someone like the store manager works for Wal-Mart, it doesn’t mean that they can have access to the same information as the pharmacy staff because it isn’t needed to provide health care services.

HIPAA is specifically written to prevent such abuses of health information by insiders because that is where some of the biggest threats to privacy come from. One nosy cashier or receptionist could do a lot of damage without HIPAA protections in place.

I don’t know the true circumstances in this case but I do know HIPAA is an unusually strict law and for good reason. A legitimate report of a violation could result in hefty fines, dismissals, or possibly even jail time for those that violate it.

Asking the pharmacist “does medication x cause dizzyness or impair judgement” is a perfectly valid and legal question, how he found out a given customer is using said medication vs picking it up for another person is a different story.

I obviously greatly oversimplified the question at hand, and obviously there are lots of other aspects to be considered. My point was that Walmart and Walmart Pharmacy may or may not be two separate business entities and that that may impact upon the legality of what happened as well.

It’s against HIPAA for the pharmacy to release that information to store personnel, even loss prevention and management. It’s strict enough that pharmacists and techs cannot page for customers to return to the pharmacy; just the fact that someone is getting a prescription is protected information. Here’s a PDF of Walmart’s pharmacy privacy practices. Walmart has yearly HIPAA training for all pharmacy employees that hammers this home.

Time for a lawyer.