Press America, Inc, a mail service used by a pharmacy benefit manager CVS Pharmacy, is being sued for the occurrence of an accidental disclosure of 41 people’ protected health information.
As a subcontractor to supply a mail-order pharmacy service for the health planCVS Pharmacy is a business associate of health plan CVS Pharmacy and, as such, both bodies must adhere with HIPAA Rules.
CVS Pharmacy completed a business associate agreement with the health plan, and Press America completed a similar agreement with CVS Pharmacy as PHI was needed in order to complele the mailings.
CVS Pharmacy claims the HIPAA Privacy Rule was breached by Press America when it ‘accidentally’ disclosed PHI to unauthorized people due to a mailing error.
The disclosure of some plan subscribers’ PHI was a mistake, but the privacy breach breached a performance standard in the CVS Pharmacy’s contract with the health plan provider. By breaching the performance standard, the CVS Pharmacy had to make a payment of $1.8 million to the health plan
A legal action was submitted by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy argues the mismailing happened due to the negligence of its subcontractor, and the $1.8 payment was issues as a direct consequence of that negligence. CVS Pharmacy maintains the breach was completely under the control of its subcontractor.
CVS Pharmacy claimed the mail service owed it a duty of reasonable care and that duty of care was violated. Since PHI was wrongly disclosed and the HIPAA Privacy Rule was breached, CVS Pharmacy had to issue notifications to the 41 plan subscibers, which the complainant believes damaged its reputation.
The mail service wished to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, argued against the validity of the contractual obligation CVS Pharmacy had to the health plan that necessitated the $1.8 million payment. The mail service also argued that its indemnification provisions were not aiming to cover this sort of payment.
However, the federal court chose not to dismiss the CVS Pharmacy’s legal action. The court decreed that the indemnification provisions of the subcontractor were broad enough to include CVS Pharmacy’s payment to the health plan, and the subcontractor could not challenge the contractual obligation since it was not a party or third-party beneficiary to the contract. The court also decreed that CVS Pharmacy adequately alleged negligence based on the breach of duty.
Financial losses were also experienced due to that negligence, as CVS Pharmacy had to make a large payment to the health plan along with covering the cost of issuing alerts to the plan subscribers whose PHI was accessible. Due to this, the motion to dismiss the case was turned away.