Prison Term in HIPAA Violation CaseAre More Such Prosecutions on the Horizon?
A former Texas hospital worker has been sentenced to 18 months in federal prison for criminal HIPAA violations, one of the toughest penalties yet for that crime. And some legal experts predict more criminal prosecutions for HIPAA violations are likely.
"We have seen between a dozen and two dozen HIPAA criminal prosecutions over the years, so they are pretty rare," says privacy attorney Adam Greene of law firm Davis Wright Tremaine. "But the threat of criminal use of health information and demographic information - such as Social Security numbers - continues to grow, so it wouldn't be surprising to see an increase in these prosecutions."
Joshua Hippler, 30, formerly of Longview, Texas, was sentenced by a U.S. District Court judge after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information, according to the U.S. Department of Justice.
In addition to his incarceration, court documents also indicate that Hippler's sentence includes a three-year supervised release and an order to pay $12,152 restitution. The criminal complaint against Hippler, and other documents related to the case, however, are sealed by the court.
HIPAA Violation Details
Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital. During this time, he obtained protected health information with the intent to use it for personal gain, prosecutors say.
A DOJ spokeswoman in July told Information Security Media Group that the HIPAA violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records (see Former Hospital Worker Faces HIPAA Charges).
The case was investigated by the Department of Health and Human Services' Office of Inspector General and the U.S. Postal Inspection Service.
While the sentence Hippler received was a tougher penalty than seen in most other HIPAA- related criminal cases, some others have received stiffer penalties in cases that involved HIPAA violations as well as other crimes.
In October 2013, Florida U.S. district court documents show, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.
In April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally gotten lighter sentences.
For example, last November, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy (see Sentencing In S.C. Medicaid Breach Case).
And in 2010, former UCLA Healthcare System surgeon Huping Zhou was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California (see HIPAA Violation Leads To Prison Term).)
"I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching," says privacy and security attorney Scot Ganow of law firm Faruki Ireland and Cox PLL.
"As long as the healthcare industry continues to actively use Social Security numbers, we will see increased criminal activity and related prosecutions," he says. "The data is simply too tempting for criminal activity. When you think of what information is kept in medical records, the identity theft 'Big 3' are always there: Name, date of birth, and Social Security number. "
As to the punishment that defendants get for HIPAA related violations, "sentencing guidelines are designed to punish and hopefully deter the illegal behavior," Ganow says. "On the civil side, whether a privacy claim advances most often depends on whether the plaintiff can show she experienced harm, or her risk of harm substantially increased, as a direct result of the breach or wrongful disclosure. I would speculate the criminal sentences would indeed become more exacting when harm is shown or the activity had a significant impact on the victims, be they individuals, businesses or even the government."