Giant Food and Elensys - Looking out for Customers or Gross Privacy Invasions?

Case Study: Giant Food and Elensys - looking out for customers or gross privacy invasions?

1. Did Giant violate HIPAA? Did Elensys? Why/why not?

According to HIPAA Health privacy rule, an individual's private information can be disclosed to a business associate (a third party that provides services on behalf of the entity on contractual basis) and only needs customer approval in case of marketing communications. Given the fact that the partnership with Elensys was solely focused on prescription compliance and avoided any sort of DTP marketing communications, neither Giant Food nor Elensys blatantly violated the HIPAA. Elensys in this case does not represent an outside party but a qualified inside agent, therefore limiting further the perils of information spillage. Giant Food took also additional security measures when building the information database, splitting the information in two and placing a high level of protection against unwanted leakage. Elensys did not own or receive complete private medical information about individuals. These actions were meant to assure that the business associate, in this case Elensys, will properly protect the information as required by HIPAA.

The evident flaw in the course of actions of Giant Food would be the initiation of the compliance program without prior obtaining the consent of its customers as dictated per law. It is also not clear how much information was disclosed about the privacy rights and practices to the customers. However, they were duly informed about the program before its start, and were given an easy and accessible way to opt out. Moreover, it was believed that the ethical issues arising from sharing private medical information would be soon overshadowed by the direct and undoubted benefit of the compliance program for both customers and pharmacies. I therefore consider that no direct violation of the HIPAA was committed, with only obvious ethical issues constituting the body of the problem.

2. What course of action should Giant take given the Washington Post article? Be specific.

The Washington Post is a reputable publication, with at least 800,000 readers at the time of the article's publication. Therefore, such an article would have a high resonance and impact on the company's brand and perception amongst customers. Immediate actions should be taken in order to reverse any damage to the image, before a significant number of clients are lost in the process.

Throughout the history of Giant, the customer's interests were always a priority for the company, and the corporate culture was built around the motto - "There is nothing too good for the Giant customer". Therefore in such a sensitive matter, involving customer privacy and ethics in medicine, Giant Food has to retreat and abandon the prescription compliance program. Moreover, the outsourcing of services goes against the "keep it in the family" strategy adopted by Giant, who was one of the first to successfully