As the Federal Government has moved to more aggressive enforcement of the Health Insurance Portability and Accountability Act ("HIPAA") privacy provisions, providers and payers are experiencing significant challenges responding to and addressing privacy violations. A subset of aggressive enforcement efforts is the effort in specific circumstances to bring criminal prosecutions.
Earlier this month, The U.S. Attorney for the Eastern District of Texas announced a criminal indictment of a former employee of an East Texas Hospital for criminal violations of the HIPAA. The former employee was indicted on charges of Wrongful Disclosure of Individually Identifiable Health Information. According to the indictment, from December 1, 2012, through January 14, 2013, the employee obtained protected health information with the intent to use the information for personal gain.
42 U.S.C. §1320d-6(b) provides for criminal penalties as a result of certain types of violations of the HIPAA privacy protections. The statute provides in pertinent part that "…[a] person who knowingly…(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be.." subject to certain specified penalties. The penalties include a fine of not more than $50,000 and imprisonment of not more than 1 year, or both. The penalties then increase if: (1) the violation was committed under false pretenses, the penalties increase to a fine of not more than $100,000, imprisonment of not more than 5 years, or both; or (2) if the violation is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the penalties increase to a fine of not more than $250,000, imprisoned of not more than 10 years, or both.
The defendant in this Texas case was indicted on the most serious offense involving the use of individually identifiable health information for commercial advantage, personal gain, or malicious harm and faces up to ten years in prison.
Providers and payers are likely to see more criminal prosecutions of individuals. The investigations, however, may expose, to the extent they exist, HIPAA non-compliance or related violations on the provider or payers part. The simple message is to redouble efforts to ensure HIPAA compliance.
For some additional information on the government's view of HIPAA criminal prosecutions, you can take a look at an interesting article by Peter Winn in the U.S. Attorney's Health Care Fraud publication from September of 2005 –http://www.justice.gov/usao/eousa/foia_reading_room/usab5305.pdf