Arizona Court of Appeals Permits Patient to File Negligence Claim Against Costco Based on HIPAA Violation


A man from Arizona sued Costco for a privacy violation. The lawsuit was dismissed by the trial court but the Court of Appeals overturned the decision overturned. The Court of Appeals’ ruling allowed the patient to sue the pharmacy for negligence based on a Health Insurance Portability and Accountability Act (HIPAA) violation.

The privacy violation under consideration transpired in 2016. The man got a sample of a drug for erectile dysfunction in January 2016. Then Cotsco called him to let him know about the availability of his full prescription, but the man cancelled the order. A month later, when he called the pharmacy about a different prescription, he found out that his the previous prescription was not cancelled. So, he cancelled the prescription again, but it was not cancelled again.

The man at some point permitted his ex-wife to pick up his regular prescription. At the pharmacy, the pharmacist said a joke to his ex-wife regarding the erectile dysfunction prescription that was not collected. The man who was working out a reconciliation with his ex-wife back then alleges that because of the impermissible disclosure to his ex-wife, their attempt to reconcile failed.

The man submitted a complaint to Costco regarding the privacy violation and got a reply letter saying the pharmacist violated the policies of Costco and HIPAA Rules when details of the prescription was disclosed to the ex-wife. The man therefore sued Costco alleging a number of tort claims including the privacy violation and the pharmacy’s failure to cancel the prescription. However, the trials court dismissed the lawsuit.

The man appealed the ruling and the Arizona Court of Appeals partly overturned it. Presiding Judge Jennifer M. Perkins changed the decision about the negligence and claims on punitive damages, though established the other claims that were dismissed.

Judge Perkins determined that Costco had a duty of care to the plaintiff based on Costco’s privacy policies and HIPAA laws and Costco failed to fulfill that duty of care. The reversal of the trial court ruling returns the case to a lower court to continue proceedings.

HIPAA doesn’t support private cause of action, thus filing of lawsuits over HIPAA violations is uncommon. In a lot of cases of patient privacy violations, the lawsuits filed are for state laws violations. This particular ruling of negligence claim based on HIPAA Rules violations is a first in the Arizona state.

The Judge wrote in her ruling that HIPAA doesn’t preempt claims of state law negligence for impermissible disclosure of healthcare data. Consequently, we hold HIPAA’s requirements may notify the standard of care in state law negligence cases just like typical industry practice may determine an alleged tortfeasor’s duty of care and to the degree that state law A.R.S. § 12-2296 permits such claims.