The federal law called HIPAA requires anyone who has access to medical information to keep it confidential. Businesses that violate the law can face penalties from the government. A big new threat, though, is that recently some courts have also started allowing people whose information was improperly disclosed to sue for damages in court.

This is significant, because the HIPAA law applies not only to doctors and hospitals but also to businesses that have even occasional access to medical data. This includes dentists, pharmacies, chiropractors, rehab facilities, insurers, data processing companies, transcriptionists, accountants and consultants who work with medical clients, and others.

In one recent case, a Walgreens pharmacist improperly accessed a patient’s records and allegedly disclosed them to her husband. The patient was the husband’s ex-girlfriend, with whom he had a child. The pharmacist apparently found information about whether the patient had a sexually transmitted disease and whether she stopped taking birth control pills shortly before becoming pregnant.

The Indiana Court of Appeals approved a jury award of more than $1 million against Walgreens for the incident.

In another case, a woman specifically asked her gynecologist not to provide her medical information to a man she was involved with. But when the man’s lawyers served the gynecology practice with a subpoena during a paternity lawsuit, the practice handed over the records – without telling the woman or informing the judge in the case.

The Connecticut Supreme Court said that the woman could sue the medical practice for money damages for the breach of confidentiality.

If anyone in your business has access to medical information, it’s a good idea to review your protocols for keeping it private.