he term “HIPAA violation” can conjure up images of large-scale data breaches. But health care providers need to be aware that, in the midst of the federal government’s increased focus on fraud in the health care sector, the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) is an emerging source of criminal liability. Prosecutions for HIPAA privacy violations are on the rise, possibly because they can be far easier for federal prosecutors to prove — and less conceptually complex for a jury to understand — than schemes involving kickbacks, misbranding, or false claims.
In essence, the privacy rule establishes uniform national standards to protect individuals’ medical records and other personal health information. It requires safeguards to protect privacy and sets limits on what — if anything — can be disclosed without a patient’s OK.
The elements for demonstrating criminal liability under the privacy rule are straightforward, making violations easier for prosecutors to prove. Any provider who violates the privacy rule by knowingly using or obtaining individually identifiable health information or discloses it to someone else may be punished by a fine, prison time, or both.
Here, “knowingly” is defined as using a unique health identifier or obtaining or disclosing protected information without authorization. Unless the disclosure meets one of the privacy rule’s exceptions, a violator can be subject to robust penalties.
In 2014, a Texas hospital employee pleaded guilty to accessing personal health information with the intention of using it for personal gain. He was sentenced to 18 months in prison. In 2015, a former district manager of Warner Chilcott, a pharmaceutical company, pleaded guilty to wrongfully disclosing identifiable health information. He was sentenced to one year of probation and fined $10,000; Warner Chilcott paid $125 million in 2016 to resolve its criminal and civil liability.
In September 2017, Aegerion Pharmaceuticals agreed to pay more than $35 million to resolve criminal liability arising from HIPAA violations stemming from activities of its sales force. In a related prosecution in February 2018, a Georgia pediatric cardiologist pleaded guilty to disclosing protected health information about his patients to a representative of Aegerion Pharmaceuticals. This April, a Massachusetts gynecologist was convicted of violating HIPAA in connection with the Warner Chilcott action for giving a company representative access to patient information. Both the cardiologist and the gynecologist face maximum penalties that include one year in prison and a $50,000 fine as a result of their respective HIPAA violations.
These actions reflect the growing trend of federal agencies leveraging HIPAA’s criminal penalties to obtain guilty pleas and successful prosecutions of providers who are supposed to abide by the law. These incidents also reflect the federal government’s willingness to prosecute HIPAA violations at every corporate level — nonsupervisory employees, management, and corporations themselves — a trend we expect to continue.
Proving criminal liability
An individual violates HIPAA if he or she engages in prohibited conduct — meaning knowingly obtaining or using HIPAA-protected information without authorization. Here’s a key point: Ignorance of the law does not limit an individual’s liability. In guidance issued to the Department of Health and Human Services, the Department of Justice’s Office of Legal Counsel said that an individual needs to have only “knowledge of the facts that constitute the offense.” In other words, individuals risk criminal prosecution for activity that violates HIPAA even if they aren’t immediately aware that their actions are prohibited under the law.
The penalties for criminal violations of HIPAA are substantial — generally a fine of up to $50,000 and up to one year in prison. A violation of HIPAA committed under false pretenses, such as disclosing a patient’s information for a reason the provider knows to be untrue (such disclosing a patient’s protected health information on the premise that the patient is an imminent threat to the public when the provider knows this to be false), can carry a fine of up to $100,000 and imprisonment for up to five years.
The penalties are even greater for violations committed with the intent to sell, transfer, or use identifiable health information for commercial purposes, personal gain, or commercial harm. They can carry a fine of up to $250,000 and imprisonment for up to 10 years.
Precautions for health care professionals
The uptick in federal enforcement actions, along with the stiff penalties, underscore the need for health care providers to establish protocols for preventing and responding to the unauthorized disclosure of protected health information.
At the very least, providers should maintain all patient privacy and confidentiality-related policies (such as notices of privacy practices and authorizations to disclose patient information) in writing and review them regularly to make sure they are addressing trends in federal agency interpretation and enforcement of the law.
We recommend maintaining these policies in writing for several reasons. Doing so ensures that patients are advised of their rights, allows patients to provide written authorization to release information for purposes other than treatment (such as releasing medical information to an insurer or employer), and is a way for providers to demonstrate to regulatory authorities that they are taking appropriate measures to keep patients informed of their rights under the privacy rule.
Practice managers and other compliance staff need to make sure that all clinical and nonclinical employees get HIPAA training each year about what constitutes personal health information, best practices for the use of secure communication systems in discussing personal health information, and how to respond appropriately to requests for this information from patients’ family members, news media, or other third parties.
Practitioners should also exercise extreme caution before sharing personal health information with commercial third parties. A wide array of them — payers, accountable care organizations, researchers, and billing companies — seek access to provider-held personal health information. To be safe, it’s best to first talk with a compliance professional or legal counsel before to responding to their requests for personal health information.
Criminal prosecutions under HIPAA, together with the relatively broad range of conduct for which health care organizations and their staff members may be liable under its privacy rule, require practitioners to constantly be aware of their HIPAA compliance. And remember: Ignorance of the law does not limit an individual’s liability.
Anne M. Murphy, Esq., is a partner in the health care group of Hinckley Allen. Laura B. Angelini, Esq., is a partner in the company’s government enforcement and white collar defense group. Jared Shwartz, Esq., is an associate in the company’s health care group.