Former Hospital Worker Faces HIPAA ChargesA Rare Case Involving Alleged Criminal Violations
Federal prosecutors in Texas have taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations. The case serves as a reminder that healthcare workers can potentially face prison time and hefty monetary fines for wrongful disclosures of patient data.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The U.S. Department of Justice earlier this month announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas.
The indictment, which was filed on March 26 in the U.S. district court in Tyler, Texas, but was sealed until July 3, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. The alleged criminal HIPAA violations began about Dec. 1, 2012, continuing through about Jan. 14, 2013, court documents says.
A DOJ statement says the investigation leading to the charges was conducted by agents from the Department of Health and Human Services' Office of Inspector General and the U.S. Postal Inspection Service.
A DOJ spokeswoman in Tyler, Texas, tells Information Security Media Group that Hippler is charged with one count of HIPAA violations. "We cannot comment on how many patient records, his job, employer or the nature of the violation in detail as this is an ongoing investigation," she says. "The violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records. Although criminal HIPAA charges are uncommon, our decision to charge Hippler is not based on any DOJ directive or crackdown."
Attorney Kenneth Hawk, a federal public defender assigned to represent Hippler, declined to comment on his client's indictment.
A jury trial for Hippler's case is slated to begin on Sept. 3. Indictment documents indicate that Hippler potentially faces up to 10 years of prison time and a fine of $250,000 if convicted.
"HIPAA indictments are fairly rare, although over the years I have heard of between a dozen and two dozen of them," notes privacy attorney Adam Greene, a partner at law firm Davis Wright Tremaine.
HIPAA attorney Scot Ganow of law firm Faruki Ireland & Cox P.L.L. notes: "Taking the long view, since 2003, when HIPAA went into effect, I would say such indictments have indeed been unusual, with only a handful being prosecuted and even less being successful. In the past five years, we have seen an increase in the cases involving criminal allegations."
Greene says that HIPAA criminal actions are usually brought in fraud cases, such as identity theft, "although there have been some cases involving snooping on celebrities and public figures."
The first HIPAA criminal case resulting in prison time involved record snooping by a former UCLA Healthcare System surgeon, who in 2010 was sentenced to four months in prison after pleading guilty to four misdemeanor counts of violating the HIPAA privacy rule. Huping Zhou, M.D. admitted in January 2010 to illegally obtaining individually identifiable health information without a valid reason by reading private electronic health records of celebrities and others (see HIPAA Violation Leads to Prison Term).
More recently, criminal HIPAA violations were among several charges - which also included conspiracy to commit Medicare fraud and medical ID theft - that led to the August 2012 conviction of the former owner of a Long Island, N.Y., medical supply company. In that case, Helene Michel, who was found guilty of committing $10.7 million in Medicare fraud, as well as criminal HIPAA violations, was sentenced last August to 12 years in prison Hefty Prison Sentence in ID Theft Case).
"Criminal prosecutions have been relatively unusual because most HIPAA violations are not intentional," Ganow says. "In other words, most unauthorized disclosures of PHI by employees do not happen 'knowingly,' or with the intent to misuse the information, as required for criminal prosecution under HIPAA," he says. "Rather, these disclosures occur as a result of an accident, a mistake, a substandard compliance program or possibly an employee that was just improperly trained or failed to follow such training."
These violations "most often occur at the organizational level with multiple people involved and have rarely implicated one individual, much less with intent to commit an offense," Ganow notes. "That said, criminal prosecution has always been an option under HIPAA, however just not as common as the civil actions."
But that could be changing. "As with any regulation, I think the 'regulated' and the regulators have to learn and grow with the realities of implementing and enforcing a new law and the emerging technologies, especially with such broad application," Ganow says. "I think the environment is more mature and thus we are seeing more activity. Indeed, the honeymoon is over."
Under the HITECH Act, healthcare entities and business associates face their own potential civil enforcement penalties of $1.5 million per HIPAA violation. However, these entities also need to ensure that their staffers are aware of their own personal responsibility - and potential legal consequences - involving HIPAA.
"It is helpful to educate healthcare workers to know that knowingly obtaining or disclosing healthcare records in violation of HIPAA can lead to criminal penalties and imprisonment, although such education needs to be balanced with ensuring that the workforce understands how they can permissibly share information," Greene says. "Otherwise, healthcare workers may be prone to avoid making disclosures that are permissible and beneficial over unfounded fears of criminal penalties."
Those distinctions should be made clear in employee training programs, Ganow says. "As part of their mandated employee training, privacy awareness programs [are] required under HIPAA," he notes. "Training programs are one of the easiest, cost-effective ways to reduce risk, yet I see so many organizations fail to implement them, implement them poorly, or if they do implement them, they do not maintain them and keep them current as part of an ongoing awareness program," he says.
Top Steps Being Taken By Healthcare Entities to Prevent Breaches
Source: Healthcare Information Security Today 2014 survey
Criminal HIPAA cases help to draw attention to the importance and potentially serious penalties individuals face for patient privacy violations.
"As the incentive to steal protected health information for personal gain - such as releasing celebrity medical information to tabloid, or for revenge against a former spouse - increase, I think we will see organizational compliance programs respond accordingly," Ganow says. "With those changes, I think we will see employees become more aware of what is at stake. HIPAA does has teeth and they are starting to show. As with any crime, the question is always whether the risk is worth the reward for a so-motivated employee."