It has been slightly more than three years since I first began writing about criminal HIPAA violations. At that time, a couple of stories over the span of a few weeks raised some eyebrows. The 2015 stories appeared to be outliers in the world of HIPAA breaches, with criminal penalties relatively few and far between.
Such an assessment may no longer hold true. Reports of criminal penalties being imposed for HIPAA violations are coming more frequently, but predominantly emphasize the risk posed by insiders.
As a refresher, the criminal penalties for violating HIPAA are set by statute. A criminal violation can arise through one of the following knowing (intentional) acts that are in violation of HIPAA privacy or security requirements: use or causes to be used a unique health identifier; obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person (42 U.S.C. § 1320d-6).
If one of the listed violations occurs, then the following criminal penalties can be imposed: a fine of up to $50,000, imprisonment for up to one year or both; if the violation occurs under false pretenses, then a fine of up to $100,000, imprisonment for up to 5 years, or both; or if the violation occurs with the intent to sell the information for commercial advantage, personal gain or malicious intent, then a fine of up to $250,000, imprisonment for up to 10 years, or both. When a penalty is set, the nature of the intent behind the violation will play a significant role in determining which tier of penalty will apply.
With the refresher on penalties out of the way, the risk posed by insiders can take on new meaning. As has been well documented, insiders post a significant security risk and run neck and neck with hackers as the leading cause of data breaches. While the data breach risk is a significant concern, the mere accessing of protected health information does not necessarily end the story.
As the outline of criminal penalties above demonstrates, once an insider accesses protected health information, the inquiry may turn to why that access occurred and what happened to the data. While some insider breaches are “innocent” in nature (meaning the access is driven by curiosity or mistake), sometimes there is malintent for the access. Those instances are being reported more frequently.
Two recent reports provide prime examples. One comes from a worker in western Pennsylvania who improperly accessed records of at least 111 patients over a period exceeding a year. Further, the criminal indictment cited at least three instances in which the individual used the misappropriated information with an intent to cause harm to those individuals.
The western Pennsylvania case provides a prime example of how information can be misused. To obtain the criminal indictment, sufficient evidence must exist to have convinced the issuance of the indictment. That means proving the trail of bad intent and then applying to the individual involved.
The case has some troubling aspects beyond the basic facts of the case. Why did it take over a year to discover the improper access? The inability or delay in finding the issue suggests a deficiency in monitoring systems. That is a difficult area of compliance, but one that cannot be ignored.
Additionally, the case underscores the impact of so-called small breaches. While a huge amount of information was not taken, there may have been personal connections that could be taken advantage of, which is a big concern when people close to a situation are the ones inappropriately accessing information.
A second recent example comes from the criminal conviction of a physician for feeding patient information to a pharmaceutical company. In this case, the physician provided patient information to a representative of the pharmaceutical company for purposes of assisting improper prescription schemes that were also tied to kickbacks.
In the physician’s case though, the kickbacks were not the only story. By taking patient information entrusted to the physician and using to benefit the pharmaceutical company, the physician created an opening for criminal action under HIPAA. The physician clearly benefited by receiving remuneration or other compensation from the pharmaceutical company.
The recent examples of criminal convictions are not the only instances where individuals faced punishment for HIPAA violations. A couple of other instances may provide further insight. In New York, a nurse practitioner received a one- year license suspension after taking patient information to benefit the NP’s new employer.
The NP obtained information about patients under the NP’s care prior to leaving employment with the first employer. The information was ostensibly obtained for continuity of care purposes. However, as noted, the information was really taken to benefit the NP’s upcoming employer, which is not a permissible reason for taking protected health information.
The other non-criminal example is one of general snooping. At least a dozen employees from Washington Health System were suspended for looking at the records of a colleague who died in an accident as well as the records of other involved in the accident. At the time the incident came to light, the matter remained under investigation to determine the purpose and intent behind the access. However, snooping is never permissible even if there is no bad intent behind the access. The level of intent just influences the exact nature of the consequences.
In light of all of the risks to the privacy and security of protected health information, insiders should be fully aware of how to respect the rights of individuals. From this perspective, imposing sanctions, whether criminal or civil, on individuals could be the form of deterrence that is needed.
With the focus on security, will criminal convictions continue to rise? Only time will tell, but maybe the next post about this topic will be filled with even more examples. One thing is certain though, any improper access of protected health information should be investigated and prompt action should be taken to cut off and remedy such breach.