Health Information Compliance Alert

Published on Wed Sep 21, 2016 PDF

Watch out: OCR is referring cases to the DOJ for criminal investigation.

Historically speaking, criminal prosecutions of HIPAA violations are rare. But that’s not really the case anymore, as law enforcement agencies are increasingly seeking prosecution of HIPAA-related crimes. Here’s what you need to know about how these most recent criminal cases are changing the HIPAA enforcement landscape.

How ‘Wrongful Disclosure’ Can Earn Prison Time

Background: A U.S. District judge in Florida sentenced a former employee of Tampa General Hospital to three years in federal prison for wrongful disclosure of individual identifiable health information and wire fraud. The employee had pleaded guilty to the charges back in May.

Despite receiving regular HIPAA training, the employee illegally accessed the protected health information (PHI) of more than 600 patients and then used that information to file at least 29 false tax returns seeking refunds totaling $226,000, according to an Aug. 2 announcement by the U.S. Department of Justice (DOJ).

And this isn’t an isolated incident — the number of prosecuted cases of criminal HIPAA charges is growing.

In June, an Ohio federal district court convicted a former respiratory therapist for stealing the PHI of 596 patients and using the information to obtain intravenous drugs. The therapist worked for ProMedica Bay Park Hospital and was convicted on a misdemeanor charge. She is awaiting sentencing, which could include up to one year in prison (see “Watch Out for Criminal Charges Resulting from HIPAA Violations,” Health Information Compliance Alert, Vol. 15, No. 4, page 31).

Individual prosecutions of HIPAA violations can also stem from larger investigations into an organization’s healthcare fraud. For example, a former district manager of Warner Chilcott pleaded guilty to wrongful disclosure of individually identifiable health information following a $125 million settlement with the pharmaceutical company for fraud charges.

As a result of the criminal HIPAA charges, the former district manager could face a maximum punishment of up to 10 years in prison, three years supervised release, and a $250,000 fine.

What’s more: OCR also refers cases to the DOJ for criminal investigation in certain situations. As of July 31, 2016, OCR has made 578 such referrals to the DOJ.

Understand What Puts You at Risk

So, what turns a HIPAA violation into a criminal offense? According to the Compliancy Group, HIPAA violations become criminal cases when they involve “egregious wrongdoing” instead of more benign misinterpretations of the rules or small slip-ups.

Although criminal HIPAA cases are relatively rare, the DOJ and other law enforcement agencies will continue to prosecute them with similar intensity as the Warner Chilcott violations, the Compliancy Group states. And the Warner Chilcott case demonstrates that the DOJ is handling criminal HIPAA violations with the same severity as comparable fraud schemes and criminal activity in any other industry.

And given the increasing news coverage and public attention on healthcare data breaches and HIPAA violations, prosecuting criminal HIPAA violations could become the next frontier for the DOJ, according to a blog posting by attorney Sara Kropf of the Law Office of Sara Kropf PLLC in Washington, D.C. (https://grandjurytarget.com/2015/12/08/criminal-prosecutions-under-hipaa/).

DOJ Prosecutions are Aggressive When Fraud is Involved

Beware: Criminal HIPAA penalties are nothing to sneeze at either — for violations, individuals can face fines of up to $50,000 and up to one year in prison. If the person commits the offense “under false pretenses,” the maximum punishment increases to a $100,000 fine and up to five years in prison.

But if the “offense is committed with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm,” the person can face up to a $250,000 fine and 10 years in prison.

Prediction: “It would not surprise me if the DOJ continued to prosecute HIPAA violations aggressively, particularly when medical information is being sold for economic gain,” Kropf said. “That aggressiveness, however, seems unlikely to extend to computer breaches of providers’ systems.”

OCR requires providers to disclose breaches to patients, to the HHS Secretary and to prominent media outlets in certain circumstances, Kropf noted. “Those incentives seem strong enough to ensure that healthcare providers will put into place strong enough hacking-defense systems to avoid any criminal liability in the first place.”

Resources: To learn more about the Tampa hospital employee case, go to www.justice.gov/usao-mdfl/pr/former-tampa-area-hospital-employee-sentenced-stealing-patient-information-and-filing. To read about the Warner Chilcott case, visit www.justice.gov/usao-ma/pr/former-pharma-company-manager-pleads-guilty-criminal-hipaa-violation. More on the case of the ProMedica respiratory therapist is available at www.toledoblade.com/Courts/2016/06/24/Ex-therapist-found-guilty-of-accessing-patient-records.html.