The term “HIPAA violation” can conjure up images of large-scale data breaches. But health care providers need to be aware that, in the midst of the federal government’s increased focus on fraud in the health care sector, the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) is an emerging source of criminal liability. Prosecutions for HIPAA privacy violations are on the rise, possibly because they can be far easier for federal prosecutors to prove — and less conceptually complex for a jury to understand — than schemes involving kickbacks, misbranding, or false claims.
In essence, the privacy rule establishes uniform national standards to protect individuals’ medical records and other personal health information. It requires safeguards to protect privacy and sets limits on what — if anything — can be disclosed without a patient’s OK.
The elements for demonstrating criminal liability under the privacy rule are straightforward, making violations easier for prosecutors to prove. Any provider who violates the privacy rule by knowingly using or obtaining individually identifiable health information or discloses it to someone else may be punished by a fine, prison time, or both.
Here, “knowingly” is defined as using a unique health identifier or obtaining or disclosing protected information without authorization. Unless the disclosure meets one of the privacy rule’s exceptions, a violator can be subject to robust penalties.
In 2014, a Texas hospital employee pleaded guilty to accessing personal health information with the intention of using it for personal gain. He was sentenced to 18 months in prison. In 2015, a former district manager of Warner Chilcott, a pharmaceutical company, pleaded guilty to wrongfully disclosing identifiable health information. He was sentenced to one year of probation and fined $10,000; Warner Chilcott paid $125 million in 2016 to resolve its criminal and civil liability.
In September 2017, Aegerion Pharmaceuticals agreed to pay more than $35 million to resolve criminal liability arising from HIPAA violations stemming from activities of its sales force. In a related prosecution in February 2018, a Georgia pediatric cardiologist pleaded guilty to disclosing protected health information about his patients to a representative of Aegerion Pharmaceuticals. This April, a Massachusetts gynecologist was convicted of violating HIPAA in connection with the Warner Chilcott action for giving a company representative access to patient information. Both the cardiologist and the gynecologist face maximum penalties that include one year in prison and a $50,000 fine as a result of their respective HIPAA violations.
These actions reflect the growing trend of federal agencies leveraging HIPAA’s criminal penalties to obtain guilty pleas and successful prosecutions of providers who are supposed to abide by the law. These incidents also reflect the federal government’s willingness to prosecute HIPAA violations at every corporate level — nonsupervisory employees, management, and corporations themselves — a trend we expect to continue.
Proving criminal liability
An individual violates HIPAA if he or she engages in prohibited conduct — meaning knowingly obtaining or using HIPAA-protected information without authorization. Here’s a key point: Ignorance of the law does not limit an individual’s liability. In guidance issued to the Department of Health and Human Services, the Department of Justice’s Office of Legal Counsel said that an individual needs to have only “knowledge of the facts that constitute the offense.” In other words, individuals risk criminal prosecution for activity that violates HIPAA even if they aren’t immediately aware that their actions are prohibited under the law.
The penalties for criminal violations of HIPAA are substantial — generally a fine of up to $50,000 and up to one year in prison. A violation of HIPAA committed under false pretenses, such as disclosing a patient’s information for a reason the provider knows to be untrue (such disclosing a patient’s protected health information on the premise that the patient is an imminent threat to the public when the provider knows this to be false), can carry a fine of up to $100,000 and imprisonment for up to five years.
The penalties are even greater for violations committed with the intent to sell, transfer, or use identifiable health information for commercial purposes, personal gain, or commercial harm. They can carry a fine of up to $250,000 and imprisonment for up to 10 years.
Precautions for health care professionals
The uptick in federal enforcement actions, along with the stiff penalties, underscore the need for health care providers to establish protocols for preventing and responding to the unauthorized disclosure of protected health information.
At the very least, providers should maintain all patient privacy and confidentiality-related policies (such as notices of privacy practices and authorizations to disclose patient information) in writing and review them regularly to make sure they are addressing trends in federal agency interpretation and enforcement of the law.
We recommend maintaining these policies in writing for several reasons. Doing so ensures that patients are advised of their rights, allows patients to provide written authorization to release information for purposes other than treatment (such as releasing medical information to an insurer or employer), and is a way for providers to demonstrate to regulatory authorities that they are taking appropriate measures to keep patients informed of their rights under the privacy rule.
Practice managers and other compliance staff need to make sure that all clinical and nonclinical employees get HIPAA training each year about what constitutes personal health information, best practices for the use of secure communication systems in discussing personal health information, and how to respond appropriately to requests for this information from patients’ family members, news media, or other third parties.
Practitioners should also exercise extreme caution before sharing personal health information with commercial third parties. A wide array of them — payers, accountable care organizations, researchers, and billing companies — seek access to provider-held personal health information. To be safe, it’s best to first talk with a compliance professional or legal counsel before to responding to their requests for personal health information.
Criminal prosecutions under HIPAA, together with the relatively broad range of conduct for which health care organizations and their staff members may be liable under its privacy rule, require practitioners to constantly be aware of their HIPAA compliance. And remember: Ignorance of the law does not limit an individual’s liability.
Anne M. Murphy, Esq., is a partner in the health care group of Hinckley Allen. Laura B. Angelini, Esq., is a partner in the company’s government enforcement and white collar defense group. Jared Shwartz, Esq., is an associate in the company’s health care group.
i have read Hippa law, and read hospital staff has a right to report medical conditions to dfcs, i did not read where they have a right to make up medical conditions and report them to dfcs, made up by not being in the records and no evidence supporting, i assert this bought DFCS in to our private lives and lked to more fraud in the pediatric chart, and more fraud CASA report versus health records, more fraud by magistrate who testified mother did not prove she was taking medicine for mental health condition, when knowing was testified to in his court ADHD ,Bi Polar, Mentally retarded ruled out, yet this also led to a i assert medical kidnapping and aggravated kidnapping on top of the fraud, the hospital staff i was informed that reported this to dfcs knew someone looking for a baby i assert they all worked in concert, your opinion please thank you
In 2008 my employer requested my PHI for a workers compensation claim…. because it was denied my union reps requested information because it was denied and my PHI was given to them. I had no idea that “ALL” my phi was passed through multiple hands until I talked to a union rep… I soon learned that all my PHI had passed through untold amount of hands and lost all trust in medical staff for over a decade. Sucks and HIPPA really doesn’t mean a thing to me. HIPPA laws and privacy DO NOT cover private heath information.
Insightful read on the effects on violating HIPAA compliance…
I’d want anyone criminally prosecuted who used protected information for financial gain or attention (posting social on social media etc.) That being said, in the ER it is often much more in the best interest of the patient to send a picture of an X-ray or wound without any identifying information than to simply discuss it. This is apparently a no no as it’s protected information via unssecure means. I know there are secure programs to use for this but reality is that everyone is not going to obtain the software and sign on for case. It’s too cumbersome. But a phone can be tapped and we are often yelling sensitive information above the din to be heard. This isn’t criminal. It’s the right thing to do. The headline is sensationalizing the subject a bit.
It would be great if the authors and editors of this article [who purport to be professionals] and others who choose to comment on it would review their work before submitting – it is HIPAA, not HIPPA.
I am confused. The article clearly uses the correct term HIPAA.
There are 769 hospitals across the United States that were financially punished for high infection and Medical Error rates during the year 2017. For a significant portion of those hospitals 2017 was the Third Consecutive Year that they had been so punished by Medicare for those same infractions. One of those hospitals, Palmetto Richland in Columbia, South Carolina, almost certainly inflicted an HAI on my wife late in 2015. They did not diagnose or treat that infection. According to an investigation by Medicare, the investigating physician found that they had not even performed a urinalysis on her during the five day stay there before I moved her to Duke University Hospital, where they discovered the infection within an hour of her arrival. She died of that infection six days later. It had evolved to Sepsis. The fact that Richland has been punished for a high infection rate for three consecutive years is prima facie evidence that the hospital was aware that present conditions to prevent the introduction of an infection were insufficient and did nothing to amend that situation. That is a criminal act and the administrators of that hospital should be prosecuted.
The HIPPA law has been the most significant law established in the various medical organizations that certainly requires extreme consequences when an individual or group of practitioners violate the patients’ personal health care issues.
Being a strong advocate of this law, has been a experience for those of us who in the various professional practitioners. In my opinion this law ( regardless of being twenty years since it has been enforced by the law and the consequences when practitioners have violated their respective professions ), is still often not being followed in the manner that so many practitioners are still not compliant with the law.
Case in point: I do not allow any of my own health care issues to ever be used for the purpose of sharing anything that is regarding my health care, including the insurance companies that I have for my health care issues; I have written to them all of the consequences that I would seek if they would have anything about me on the internet. If I don’t have the information via postal communications, then I make a decision to do what is necessary to address the specific violation by any organization that has my personal health issues in their databases.
My personal physicians, most especially one who has a specialized access for transmitting information to the other physicians who have been referred to me, and the specialized computer that is used for medical information that is necessary for a referred physician to have my history for the purpose of knowing the specifics that my physician has been treating me. I am always going to be affiliated with only practitioners who either have specialized encryption for patients records; or are willing to send any medical information about me via a vetted courier, or through the postal service only.
I have a very good reason why I insist on this situation, and it was first initiated by myself upon learning how one physician was violating the HIPPA Law, with my personal health care information.
I expressed my vexed perspective upon learning how this individual had violated the law. I contacted the individual who was also stalking me using various ways, by stating with a recording device that I informed the person that I had on ( which he did too along with another physician who I sought for my being a patient with the second doctor who was recording and had an open line on the telephone whilst I was in the appointment with the new doctor, and the one who I cautioned and fired was listening for the entire time, until I asked why the telephone line was obvious open to something or someone else? The new onetime only doctor said that the line was being used by another doctor who had an office in the same office as the one who I was meeting for the only one time that I did.
Whilst I was walking to my auto I received a call from my iPhone, from the very same physician who I went to this new one to replace the one who I wish now that I had explored my options about bringing a law suit against this individual; the receptionist who was the former physician’s staff contacted me and stated that the doctor had done several law breaking actions that she could no longer work for such a profoundly unprofessional person that she ever had known.
I am not the type of person who seeks justice through the courts for anything. After that criminal experience, I could not say that I would not allow the situation to go without any court experience about such behavior by anyone else again.
The HIPPA Law extends to the staff of the practitioners too, and I have witnessed countless experiences where the staff was egregiously in violation of the law. The individual whose practice it is, must have a staff where everyone follows the law to the defined aspects of the HIPPA Law, as well as the physicians or practitioners that are employed by the practitioners.
I am greatly dismayed to find this law is no longer applicable. I tried to report a violation & was shot down. They will not investigate. Period.
I have a half-sibling with a personality disorder who has a history of calling up various organizations & report false info. She is a nurse & is believable but she makes stuff up. My NP discussed my info with her & wrote up a whole lot of false info in my medical records & NO ONE will do anything about it. When I changed doctors in hopes of stepping out of the mess the NP & doctor conferred & now my health records are even worse & I can do NOTHING about it. I did not sign any form to share records but was told I can’t restrict providers from sharing. How did medical care get to this? What can be done?