Among the lesser known features of the Health Insurance Portability and Accountability Act (“HIPAA”) are its criminal provisions.
HIPAA’s Privacy Rule created national standards for protection of individuals’ medical records and other personal health information (“PHI”). Two federal agencies enforce HIPAA’s privacy provisions: the Department of Health and Human Services Office for Civil Rights (“OCR”) and the U.S. Department of Justice (“DOJ”). Typically, OCR investigates HIPAA civil violation complaints and refers potential criminal violations to the DOJ.
HIPAA’s criminal penalties for Privacy Rule violations (42 U.S.C § 1320d-6) apply to covered entities (certain health care providers, health plans, and health care data clearinghouses) and persons who, without authorization, obtain or disclose PHI maintained by a covered entity. Important features of these provisions include the following:
- Section 1320d-6 is narrowly focused on protection of “unique health identifier[s]” and “individually identifiable health information.”
- Section 1320d-6 provides for both (a) misdemeanor offenses, in which a person “knowingly and in violation of this part” uses, obtains, or discloses PHI, and (b) felony offenses, in which a person uses, obtains, or discloses PHI under false pretenses or commits the offense with an “intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm[.]”
- A misdemeanor HIPAA violation conviction results in a maximum term of imprisonment of one year and a $50,000 fine. The “false pretenses” felony carries a penalty of not more than five years imprisonment and a $100,000 fine, and the “personal gain” felony carries a maximum of 10 years imprisonment and a $250,000 fine.
Since HIPAA’s Privacy Rule went into effect in 2003, the DOJ has pursued criminal HIPAA charges in a limited number but wide range of scenarios. For example:
- In the first criminal HIPAA prosecution, a former health care worker stole the identity of a cancer patient and incurred $9,000 in credit card bills in the patient’s name. In December 2004, the defendant was sentenced to 16 months in prison following a plea of guilty to one felony HIPAA violation.
- In one of the first misdemeanor HIPAA prosecutions, a UCLA researcher accessed hundreds of medical records, including those of coworkers and celebrities, without any medical justification. In January 2010, he pleaded guilty to four HIPAA misdemeanors and was sentenced to four months in prison.
- In 2013, the registered agent of multiple Florida chiropractic clinics paid a hospital employee to access PHI of patients who had been involved in car accidents, which he used to solicit patients. The defendant pleaded guilty to four HIPAA felonies, among other charges, and received a sentence of 48 months in prison.
Because of the limited number of criminal HIPAA prosecutions, there are few ascertainable overarching trends in the DOJ’s approach to HIPAA. However, the ever-growing national interest in privacy issues, and in HIPAA in particular, ensures that criminal HIPAA prosecutions will continue to be a growing, and cutting edge, field within health care law.