Originally published August 24, 2004

By Shannon Harsfield (Tallahassee)

For several months, various Assistant United States Attorneys have stated informally that HIPAA’s criminal penalties apply to anyone violating the law – not just covered entities. In their view, workforce members, business associates and others who handle "protected health information," as that term is defined in HIPAA, should use caution to ensure the information is used and disclosed properly. The first-ever criminal conviction for a HIPAA rules violation bolsters the argument that HIPAA is not just something that should be addressed by health plans, health care clearinghouses and health care providers engaging in standard transactions.

On August 19, 2004, a former cancer clinic employee, Richard W. Gibson, pleaded guilty in federal court in Seattle to wrongful disclosure of individually identifiable health information for economic gain. In a plea agreement, which is scheduled for hearing on November 5, 2004, Mr. Gibson admitted to obtaining demographic information about a cancer patient and disclosing that information, including the patient’s name, date of birth and social security number, in order to obtain four credit cards in the patient’s name. Mr. Gibson admitted to using the cards to purchase $9,000 worth of various items for his personal use. The cancer clinic fired Mr. Gibson upon discovery of the identity theft. If the plea agreement is accepted by the U.S. District Court Judge, Mr. Gibson faces a 10 to 16 month prison term. He must also pay restitution.

Criminal prosecution of a workforce member may come as a surprise, particularly to those covered entities that have not elected to implement comprehensive HIPAA compliance programs in light of the seemingly lax enforcement of the rules. Prior to August 19, 2004, there had been no public enforcement of the HIPAA Privacy Rules, which went into effect for most covered entities on April 14, 2003. The Office for Civil Rights, which is charged with civil enforcement of the Privacy Rules, has stated on numerous occasions that the Privacy Rules’ requirements apply only to covered entities, and not business associates or workforce members. The preamble to the December 28, 2000 version of the Privacy Rules stated, in part, "With regard to implications for the individual, persons in a covered entity’s workforce are not held personally liable for violating the standards or requirements of the final rule." While that may be true with respect to civil penalties, the Department of Justice apparently does not adhere to that view. This recent HIPAA conviction indicates that every member of the health care industry could be subject to criminal penalties for intentional misuse of health information for financial gain.

The fact that this HIPAA conviction stemmed from an act of identity theft also suggests that HIPAA penalties may apply to violations of other laws. For example, an individual submitting a false claim to Medicare is, arguably, using protected health information for purposes other than treatment, payment, or health care operations. Therefore, the act of submitting the false claim could be construed, potentially, as a HIPAA violation as well.

As of July 31, 2004, the Office for Civil Rights received and initiated reviews of 7,577 HIPAA complaints. Only 57 percent of those cases were closed as of July 31, and over 108 cases have been referred to the Department of Justice for potential criminal prosecution. Most complaints involve: (1) impermissible uses or disclosures of health information; (2) absence of adequate safeguards to protect health information; (3) failure to provide patients with access to records; (4) disclosing more information than is minimally necessary; and (5) making disclosures without a valid authorization when an authorization is required.

The first HIPAA guilty plea should cause all covered entities to take measures to re-assess their HIPAA compliance plans and ensure that their workforce members take privacy seriously. If a workforce member violates HIPAA, covered entities could also have exposure, particularly if they have failed to conduct adequate training or develop comprehensive privacy protections. A covered entity’s risks increase dramatically if it knew or should have known of an employee’s improper acts.

HIPAA compliance is an ongoing effort. Covered entities must adhere to their policies and procedures and take appropriate steps to address complaints. As illustrated by this recent plea agreement, it is also important for business associates, workforce members and others not directly covered by HIPAA to make sure that they use and disclose protected health information properly.

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.