Criminal prosecutions for HIPAA violations appear to be increasing, putting both individuals and healthcare organizations at risk for more than just monetary penalties and regulatory burdens.
The criminal penalties for HIPAA violations can be severe: a fine of up to $50,000, imprisonment for up to a year, or both. Additionally, if the offense is committed under false pretenses, there can be a fine of up to $100,000, imprisonment for up to five years, or both.
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the offender can be fined up to $250,000 and imprisoned for up to 10 years, or both.
Those criminal prosecution options are not as well known to healthcare professionals as the civil penalties that are reported often, notes William P. Dillon, JD, shareholder with the Gunster law firm in Tallahassee, FL. Office for Civil Rights (OCR) has made 688 referrals to the Department of Justice (DOJ) since the law was enacted. “I think the number of referrals is going to grow as the government focuses more on identity theft,” Dillon predicts. “There hasn’t been a ton of referrals to DOJ since the process has been in place, but there is reason to think that is going to increase. Covered entities have to have the right processes in place to stay away from that kind of risk.”
The criminal sanctions for violating HIPAA were part of the initial public law and are codified at 42 USC 1320d-6, explains Darci L. Friedman, JD, CHPC, CSPO, PMC-III, director of content strategy for healthcare compliance and reimbursement within Wolters Kluwer Legal & Regulatory U.S.
There are three prohibitions under the statute. Criminal liability may flow when a person knowingly uses or causes to be used a unique health identifier, or obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information to another person. A person is considered to have obtained or disclosed individually identifiable health information if the information is maintained by a covered entity and the individual obtained or disclosed such information without authorization, Friedman explains.
“Initially, there was some ambiguity as to whether an individual could be criminally liable under the statute and as to whether the term ‘knowingly’ required proof of knowledge that the conduct was contrary to the statute,” Friedman says.
Regarding individual liability, the DOJ concluded that both covered entities and individuals, including directors, officers and employees, may be prosecuted directly under section 1320d-6, Friedman notes.
Concerning the “knowingly” requirement, the DOJ concluded that the element should be read with ordinary meaning to require only proof of knowledge of the facts that constitute the offense and not knowledge that the conduct was contrary to the statute, she says.
“The criminal prosecutions we have seen to date indicate that prosecution is likely where the facts of the case are particularly egregious or where the violation is discovered or prosecuted as part of a larger case involving other kinds of wrongful deeds, like Medicare or tax fraud,” Friedman says.
One of the first cases of a HIPAA privacy prosecution involved a cardiothoracic surgeon from China working at a U.S. hospital in 2010, Friedman notes. After receiving a notice of dismissal, the surgeon accessed and read his immediate supervisor’s medical records, those of other co-workers, and various celebrities. The surgeon was the first defendant in the nation to receive a prison sentence (four months) for a HIPAA violation.
In 2013, a former nursing assistant at a Florida assisted living facility pleaded guilty to selling HIPAA-protected patient information, including Social Security numbers, and tax fraud. She was sentenced to 37 months in prison. The crime was discovered when local police executed a narcotics-related search warrant, Friedman notes.
“Most recently, a Massachusetts physician was convicted of a HIPAA violation for her role in a scheme whereby she shared patient information with a pharmaceutical company representative so that the company could target patients with specific conditions,” Friedman says. “This case illustrates not only a criminal HIPAA prosecution but the DOJ’s ongoing focus on pharmaceutical company marketing practices and their relationships with doctors.”
It is important to note that all three cases noted were pursued against insiders, Friedman adds.
“Healthcare providers must ensure, among other things, that employee access to records is limited to the minimum necessary,” she says. “Limited access should be paired with following the administrative requirements of the HIPAA security rule regarding the management of the conduct of the workforce in relation to the protection of the information.”
Even when criminal prosecution falls on the individual, there still can be significant damage to the healthcare organization, Friedman says. Prosecution of an individual could be a potential flag to enforcement agencies to explore organizational liability.
“Let’s not forget that covered entities may be held criminally liable for HIPAA violations as well. When the covered entity is not an individual, principles of corporate criminal liability determine when a covered entity has violated HIPAA,” Friedman says. “Even if a case does not implicate the covered entity organization criminally, civil and administrative sanctions, up to and including exclusion from participating in the Medicare program, could come into play. If the organization is a focus, in addition to an individual, it is important that it cooperate in the investigation with regard to the individual in order to be eligible for ‘cooperation credit’ under the Principles of Federal Prosecution of Business Organizations.”
The apparent increase in criminal prosecutions likely is the result of several factors, Friedman says. One factor may be the continuing rise in medical identity theft, and another may be the “Yates Memo,” issued by the DOJ in 2015.
In the Yates Memo, then-Deputy Attorney General Sally Yates announced a policy on seeking accountability from the individuals who perpetrated wrongdoing to combat corporate misconduct. The guidance provided in the Yates Memo suggests that U.S. attorneys focus on individuals from the inception of the investigation, Friedman explains.
“Another factor in the increase may be simply that the DOJ is getting used to flexing their HIPAA criminal muscles,” Friedman offers. The DOJ memo was issued in 2005, and the first prison sentence came in 2010. Since then, we have seen prosecutions in federal districts in Florida, New York, Texas, Ohio, and Massachusetts.”
HIPAA should be a cornerstone of the educational training program for all providers, Friedman says. The training should start when an individual is onboarded and continue throughout the course of their work for the provider organization.
Include in that training information of individual liability, and use recent cases to highlight that liability may include jail time. Criminal prosecution is most likely when an employee in a physician practices knowingly violates HIPAA and the data obtained are used for monetary gain or other illegal acts, Kyle Haubrich, JD, an attorney with Sandberg Phoenix in St. Louis.
“It is rare that criminal penalties are handed down by HHS,” he says. “Most of the time, the person violating HIPAA does so without knowing that what they did, or didn’t do, was a violation. Therefore, you see more civil penalties than criminal ones.”
The employer could be held liable in a respondeat superior situation, if the employee who was prosecuted was acting on a request to violate HIPAA by his or her employer, Haubrich explains. If the employee acted on his or her own and the employer had no idea the employee was violating HIPAA in a way that caused criminal penalties to be sought, the effect to the employer is reputation-based.
Lack of training and understanding of HIPAA could be contributing to a rise in criminal prosecutions, Haubrich says.
Another cause may be that physicians, healthcare providers, their staff, and even business associates can access multiple records easily with the implementation of electronic medical record software, Haubrich says.
The ability to use the information in a way that could result in criminal penalties (e.g., the temptation to retaliate) is higher.
“Say a physician is fired from a medical practice. However, the practice fails to [revoke] his username and password, allowing him to continue to access the medical records on the EMR software of the practice,” Haubrich says. “If that doctor wanted to retaliate against that group for firing him, he could cause all kinds of problems to a patient’s medical record, including changing diagnosis, or worse, using the patient information to open credit cards in the patients’ names.”
The best way to educate employees about the risk is to educate them on what would cause criminal penalties to be sought, Haubrich offers. If employees know that if they access medical records for no legitimate reason, they could be criminally prosecuted for such access. Employees would be less likely to violate HIPAA because they would know the consequences of doing so, Haubrich argues.
“The best defense is making sure the employees know the risk of violating HIPAA, what criminal and civil penalties could be sought based off of violations committed, and that they, too — not just the physician — can be criminally liable for committing certain violations,” Haubrich says. “That can go a long way to helping an employer mitigate the risk of any penalties being handed down.”
Dillon suggests emphasizing to employees the significantly increased risk from intentional violations of HIPAA.
“Criminal prosecutions are reserved for intentional acts that cause harm. If you have a nurse who mistakenly faxes a document to the wrong number — that’s not a criminal act,” Dillon says. “But people who knowingly misuse patient identification need to know that there is this risk, that the government looks on those situations very differently.”
The relatively low number of criminal prosecutions may be due to the overall HIPAA caseload facing the government, says Iliana L. Peters, JD, shareholder with Polsinelli. Prior to joining the firm, Peters spent more than a decade at OCR, most recently as the acting deputy director and as the senior advisor for HIPAA compliance and enforcement. OCR enforces civil violations of HIPAA, and investigates complaints, breaches, and other HIPAA-related matters that come to its attention.
“OCR expects to receive 24,000 HIPAA complaints in 2018. Further, OCR has received almost 2,400 reports of breaches affecting 500 or more individuals, all of which are posted to OCR’s website, as required by the HITECH Act, and investigated,” Peters explains.
From there, Peters says OCR refers any complaints or breach reports that may implicate the criminal provisions of HIPAA to the DOJ.
In potential criminal cases, DOJ must prove that an individual knowingly and in violation of HIPAA used, obtained, or disclosed HIPAA-protected information, Peters notes. Although there are penalties for lesser offenses, DOJ likely would take a case in which the agency would have to prove that the individual intended to use the information for personal gain or malicious harm, particularly for identity theft, fraud, or sale of such information. In such cases, DOJ typically adds HIPAA violations to other violations for which DOJ is prosecuting the individual, Peters says.
“Ultimately, healthcare entities themselves can be liable for millions of dollars of civil money penalties after an investigation from OCR. Individuals, including their employees, can be on the hook for criminal penalties of up to 10 years in prison, in addition to a fine,” Peters says. “Even if criminal behavior by an employee or an outsider is at issue in a particular case, healthcare entities must be vigilant to protect against such potential criminal behavior by ensuring they implement the administrative, physical, and technical safeguards required by HIPAA, given that they are liable for not doing so.”
It is important to remember that criminal prosecution may not start with a standard OCR investigation, says Patricia Wagner, JD, an attorney with Epstein Becker Green. In addition to the OCR referral process, it is possible that a HIPAA violation will come to light when the DOJ is investigating or prosecuting another crime and decide to include the HIPAA prosecution as part of the other matter.
When educating employees on the risk of criminal prosecution, Wagner says leaders can describe real incidents in which people have gone to prison for their actions. This makes the risk more than theoretical, she says.
“Often, it is useful to include examples of when penalties have been applied so that employees have a better understanding of the risk,” she says. “Of course, it is more important to train employees on and to have a culture of compliance for HIPAA and other laws so that the focus of the organization and employees is on performing tasks in an appropriate manner.”
The DOJ memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA, notes Elizabeth Litten, JD, HIPAA privacy and security officer with Fox Rothschild.
The memo states that such punishment is reserved for violations involving “unique health identifiers’ and individually identifiable health identifiers [IIHI]. Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals,” the memo reads.
The DOJ memo focuses on violations by covered entities and notes that when a covered entity is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment.
Criminal liability of a corporate entity may be attributed to individuals in managerial roles, Litten explains.
Once a HIPAA violation is referred for criminal prosecution, the case may be easy for prosecutors.
“It may be that a DOJ conviction for a knowing violation of HIPAA is more easily obtained than a conviction for a violation of other federal laws governing healthcare providers, such as Anti-Kickback Statute violations,” Litten says. “In addition, where a healthcare entity, like a large hospital system or health plan, has deep pockets, the OCR may pursue very high civil monetary penalties and rely on the financial implications as a deterrence message sent to the regulated community. DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation. I expect HIPAA will be used as the basis for criminal prosecution where other, less easy-to-prove criminal conduct is involved, similar to convicting mafia members for tax evasion.” Although criminal prosecution may seem extreme to those accused of HIPAA violations, it may be far more mundane to prosecutors, Litten says.
“Be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law,” Litten warns. “In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with third parties for commercial/personal gain or commercial harm, since the highest criminal penalties under HIPAA are for violations committed with the intent to use or disclose IIHI for these purposes.”