Sounds like it’s worth investigating, to someone, maybe not your mom. I don’t really know who to contact about this, but there are online organizations and forums for this subject. I think Walmart, like all other health care providers (and if they have a pharmacy then they are one) would take this matter very seriously. Unfortunately it’s Walmart, so their seriousness won’t be in your favor. Best bet may be to find out if they have a pattern of this conduct and join forces with other victims.
No they are not supposed to be able to access records beyond the actual customer that they are helping. The manager would have had to go back through tapes and then ask for the pharmacy transaction logs (insurance payments) to determine what her purchase was. Your average clerk would have been told to pound salt. The manager used his position to violate her privacy.
If I were your mother I would file a HIPAA complaint. Here is the web page from HHS that tells you how to file it: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
The complaint, if found valid will result in a fine against Walmart. (also, did your mother get anything in writing from Walmart that shows that they accessed her records? Maybe she should ask for that now, since the manager is going to deny that that is why he ‘turned her down’.)
This does not fix the problem of the dangerous crack in the sidewalk or parking lot. If she has no damages, she could use the threat of the complaint to force the repair to help other people avoid tripping/falling.
But, I would encourage her to file the complaint. Once it is investigated, Walmart HQ will see it started with the crack in the side walk and demand the manager get it fixed. If she files the complaint, Walmart will also crawl through its butt making sure that NO MANAGER ever does that again. Walmart has an entire division of lawyers who are solely focused on keeping them out of law suits and complaints.
Is it possible to pick up the prescription at the pharmacy but pay for it at the front of the store? If so, perhaps the store manager just reviewed her purchase records. But I agree that it sounds like a privacy violation. Plus it’s also a stretch to conclude that she must have had vision problems because she was on a diabetes medication. What if the diabetes is under control with the meds, and her vision is correct otherwise?
No shit, I have been type 2 diabetic for pushing 30 years, and other than the usual change to needing either bifocals or longer arms to read small print, my vision is just fine.
And Metformin does not indicate diabetes. I take Metformin and my AC1 is like 4.8 (totally normal and not diabetic). The drug has other uses.
If diabetes can impact her eyesight, and if the WalMart manager had a legitimate need to know, then there might not have been a HIPAA violation. The lady’s ability (or not) to walk safely in the parking lot may give the manager a legitimate “need to know” the lady’s physical abilities.
Consult a lawyer.
Consulting a lawyer is good advice but the rest of your point is invalid. HIPAA doesn’t work that way.
I’m quite sure that the detailed transaction history of all registers is easily accessible by any member of the management team of a given walmart.
Not that this makes me an expert, but when the HIPAA laws first went into effect, I used to do consulting in this area and talks at medical conferences for continuing medical education units as a side task to my normal business development work.
Assuming we have all the facts correct, it’s not clear to me that anyone saw the person’s medical records other than the pharmacy and loss prevention folks. The greeter and manager may have only taken the woman’s name, and the loss prevention folks may have taken it upon themselves to see if there were any mitigating circumstances, which may or may not have involved illegal access to medical records kept at the pharmacy.
I, like others, am not a lawyer and can only theorize on the situation, but the pertinent pieces of information are, what does the Walmart HIPAA privacy statement (which will be clearly posted at the pharmacy and which copies will be available to patients on request) say about ‘business associates’? That language will be in there and it will explain exactly who outside the pharmacy will have access to those records, and possibly even under what circumstances. My point is, if I was Walmart, I would definitely include the loss prevention folks as ‘business associates’ in my HIPAA privacy agreement, because they have a legitimate need-to-know when it comes to medical records and associated receipts. If someone has a medical condition that indicates they should not be driving, and they get in an accident in the parking lot, I’m sure you would all agree that’s an important fact in the case, rather than them blaming it on the poor lighting in the parking lot, or something else that would be the responsibility of the store. I realize this is someone tripping over a crack, but what’s not clear is whether the woman in questions suffered any injury and intends to sue. From the store’s standpoint, they would have to assume anyone who felt the need to alert the greeter to the fact they tripped is a definite warning sign that may happen, hence the store’s behavior.
Here’s how I see it going down:
- Incident occurs and is reported, at which point loss prevention gets the report
- They likely review store surveillance to see if the incident was captured on camera and if there are any unusual extenuating circumstances as they likely encounter lots of scams on a daily basis. This may include things like wobbling or erratic behavior, etc.
- Since they have the person’s name, they likely check it against store receipts to see if that person purchased something by credit or debit card to see if they purchased anything usual (alcohol, medication, etc) that might contribute to their falling.
- They contact the person and try to talk them out of a potential lawsuit by revealing any evidence they have that indicates the person is partially or totally at fault.
HIPAA can’t be used to exclude evidence from a trial. But if the evidence is obtained outside of the approved procedures, it is still a civil violation and the party can be sued for that.
IANAL and IANAMD, but from a risk management perspective this process is flawed and appears to leave the store exposed to liability, if not now, then in the future:
#1 part they jump to conclusions without sufficient evidence.
Even were #1 true, this is leap to conclusions #2 without sufficient evidence.
Even were #1 and #2 true, this is the #3 leap without sufficient evidence.
Absent other conditions we don’t know about from the OP, this process appears to not be a good-faith effort to resolve a problem. I can’t speak to either the HIPAA or retail management implications, but I’m not impressed with the process described.
TriPolar - Unless there have been changes in the law, I believe only the Government (specifically the Department of Health and Human Services) can issue fines and suits with regard to HIPAA violations. An individual can likely bring a suit for violation of privacy, but I suspect whether it was a person or a corporation (like Walmart), the woman would still have to show that some damages occurred over her medical information being used by the loss prevention folks. I don’t see what real damages have occurred, hence what is the cause for action?
As far as whether this process is “right”, I’m sure every loss prevention organization takes a very cynical view of humanity and assumes everyone is out to sue the store. After all, who among us trips on a crack in the sidewalk, falls, and then immediately thinks, “I’m going to walk back to the front of the store and let the greeter know I fell out of the kindness of my heart because I don’t want others to suffer the same fate as me”. Most people who do that, including people who get mildly hurt, likely would brush it off and continue on their way. Anyone who goes to that much effort is most likely informing the store so that they are aware of the incident because a lawsuit will be coming. The store is putting the woman on notice that they are aware of some potential mitigating circumstances should she decide to go down that path. Is it shitty and aggressive? Absolutely! But is it illegal? I don’t think so. Given the clientele they have at most Walmarts, I’m sure that historically this has proven an effective way to stave off lawsuits from potential scam artists who think they will have a case based on the fact that it is “my word against Walmart, and everyone knows Walmart is a big, evil corporation and will probably settle the case quickly just to make a small fry like me go away”. I am not siding with Walmart, by the way, but simply explaining why I think their behavior is the way it is.
Of course, this all assumes that there is nothing more significant going on. Obviously if the store employees saw numerous people tripping on this crack, or if there was broken glass, rusty nails, etc. (perhaps even from previous people who tripped, but it was never cleaned up), then that’s a different story. Of course, if they really are guilty of some contributing negligence, they’d probably be even MORE likely to use this aggressive approach.
IANALawyer, but I do not think that is accurate. The law is intended to protect health information. For example, if you started getting advertisements for medication you are taking from several drug manufacturers, this would be a violation of the law, same as if you were denied a job, or a loan, based on your health - if you had damages or not. Someone used your private health information without your consent. Based on the OP, that is what is at issue - did people who should not have access to the woman’s health data use that data in making a business decision?
Why Walmart behaves the way it does, and it’s loss prevention strategies, are irrelevant. I think your prior post regarding the status of “business associates” is spot on - the loss prevention team and store manager may have permission to see the woman’s PHI. If that was the case, then there may not be a violation - it all depends on who is allowed to see the PHI (and what they do with it).
I don’t actually know anything about how HIPAA fines and suits are handled (or if I did, I don’t remember it). My point was that that HIPAA violations can’t be used to exclude evidence. The HIPAA regs are supposed to be the relief for violations instead of excluding the evidence. So it may be that you would have to be satisfied with knowing that WalMart gets a big fine, and receive no compensation.
Yes, this would be a violation of HIPAA privacy regulations, under which her information can only be released with her express–and typically written–permission.
The rest of this story does not make any sense, so I’d wonder if your Mom is older or confused or if you have shorthanded some of it…like forgetting to mention in the OP that this is about your Mom. But Bozo managers are out there, so it doesn’t surprise me totally if the part about them revealing your Mom’s personal information is correct.
FYI, you can Google the Walmart pharmacy HIPAA privacy notification pretty easily. It doesn’t allow for anything like what was described.
Very high blood sugar levels can cause temporary blurred vision. For many, this is the first noticable symptom they have and leads to the initial diagnosis. But this is a symptom we only see in uncontrolled sugar levels.
Regardless of the HIPAA stuff… How does “vision problems” get them out of anything? Aren’t their premises supposed to be free of hazards? If the crack exists and is severe enough to cause a fall, do they really get a pass on any injuries incurred by the visually impaired?
They’re implying that grude’s mom didn’t trip over a crack.
And… this is Walmart, nobody expects any better out of them.
No, one cannot take a prescription to the front of the store to pay, at least not at the one I just got prescriptions from last week. Had to pay at the pharmacy counter.
I have various relatives on various diabetes-related meds (and one who is managing with diet and exercise), none of them have any diabetes-related vision issues.
Side note on symptoms: when my DH came up diabetic, he did not report any vision issues. First symptoms he noted were excessive thirst and very frequent urination.