HIPAA Regulatory Alert

In brief: Guilty plea in first HIPAA privacy case

A SeaTac, WA, man pleaded guilty in federal court to wrongful disclosure of individually identifiable health information for economic gain. The guilty plea entered by Richard Gibson, 42, was the first criminal conviction under the HIPAA privacy rule, according to the U.S. Attorney in the Western District of Washington.

In a plea agreement, Gibson admitted that he obtained a cancer patient’s name, date of birth, and Social Security number while he was employed at the Seattle Cancer Care Alliance and used that information to get four credit cards in the patient’s name. Gibson used the cards to spend more than $9,000 in the patient’s name, buying video games, home improvement supplies, apparel, jewelry, porcelain figures, groceries, and gasoline for his personal use. He was fired from the job shortly after the identity theft was discovered.

The plea agreement sets forth a sentencing range of 10-16 months in prison followed by a period of supervised release.

Civil money penalties rule extended

The Department of Health and Human Services extended for one year the Sept. 16, 2004, expiration date for an interim final rule establishing procedures for imposition of civil money penalties on entities that violate HIPAA administrative simplification standards. The agency said it needs more time to develop a more comprehensive enforcement rule, and the extension was needed to avoid the disruption of ongoing enforcement actions while development of the comprehensive rule is finalized.