Two Sentenced in HIPAA Criminal CaseCharges Stem from Case Involving Kidnapping, Drug Trafficking
Two individuals - a former hospital worker and a convicted drug trafficker - have been sentenced to serve time in federal prison for HIPAA privacy violations.
But the May 18 sentencing for HIPAA violations of drug "kingpin" Stuart Seugasala is the least of his problems. He'll be serving his 10-year HIPAA-related prison sentence concurrently with three life sentences for his January convictions on drug trafficking conspiracy and two kidnapping charges. In addition to that, he'll serve a consecutive seven-year sentence on firearm violations.
In a statement, the U.S. Department of Justice notes that because there is no parole in the federal penal system, Seugasala will spend the rest of his life in custody.
Meanwhile, as part of the same criminal case, Stacy Laulu, a former financial worker at Providence Alaska Medical Center in Anchorage, was sentenced on May 29 to two years in federal prison for each of her two counts of unauthorized disclosure of health information, for which she was convicted in January. She will serve the two year sentences concurrently. Federal prosecutors say Seugasala in March 2013 contacted Laulu, a friend, to find out if two victims of his crimes, who were both admitted to Providence Alaska Medical Center due to injuries inflicted by Seugasala and two other accomplices, had reported him to police.
"Laulu accessed the private electronic medical files of the victims and reported back to Seugasala," according to the Justice Department statement. Laulu went to trial with Seugasala in January and was convicted of violating the privacy rights of the victims.
Unlike Laulu, Seugasala received the maximum 10-year sentence on his HIPAA conviction. The HIPAA case is the first in the history of Alaska "and one of few such cases prosecuted in the country," federal prosecutors note. Judge Ralph Beistline, who presided over the Seugasala and Lulua cases, said that in committing these HIPAA violations, Seugasala "disrespected the victims again."
While imposing the life sentences on Seugasala, Beistline told him, "You enjoyed being a drug kingpin, you seemed to enjoy the misery that you created, and you enjoyed your criminal posse," according to the Justice Department statement.
Three other individuals involved with the criminal case were also convicted and sentenced on a variety of charges that included drug conspiracy, drug trafficking and kidnapping - but not HIPAA violations.
Relatively Rare Cases
While HIPAA criminal convictions are themselves unusual, it's even rarer in cases involving individuals who are not employed by a covered entity or business associate, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. In those rare cases, the individuals have usually been convicted of HIPAA violations related to other crimes, he notes.
"Before the HITECH Act in 2009, the criminal conviction could be based on an aiding and abetting or conspiracy charge, where the non-employee causes the HIPAA covered entity to violate HIPAA. We have seen this in identity theft cases," he says. "The HITECH Act amended the criminal provision to more explicitly permit prosecutors to go after anyone who improperly obtains or discloses health information, even if not part of a covered entity."
Criminal prosecutions tied to HIPAA violations often are tied to cases "involving criminal conduct, such as identity theft, other fraud, or in this case drug trafficking crimes," Greene notes. "So far, prosecutors have seemed to be more interested in using HIPAA as a secondary charge in other criminal matters rather than seeking to prosecute matters that only involve inappropriate access or use of health information."
There have been only a handful of other federal criminal HIPAA cases elsewhere in the U.S. The 10-year sentence for Seugasala's HIPAA crimes is apparently the most substantial so far.
Among other recent cases was the sentencing in February of Texas hospital worker Joshua Hippler to 18 months in federal prison for criminal HIPAA violations (see Prison Term in HIPAA Violations Case).
Hippler, 30, formerly of Longview, Texas, was sentenced after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information, according to federal prosecutors.
Prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital. During this time, he obtained protected health information with the intent to use it for personal gain, they say.
In another HIPAA prosecution, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced in October 2013 to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information (see Former Therapist Charged In HIPAA Case).
And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally received much lighter sentences.
For example, last November, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy (see Sentencing In S.C. Medicaid Breach Case).
And in 2010, former UCLA Healthcare System surgeon Huping Zhou was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California (see HIPAA Violation Leads To Prison Term).