By now, the term "HIPAA" is a household term—but few people have a strong grasp of the possible sanctions one might face for intentionally violating the HIPAA regulations. Recent cases illustrate that individuals and employers whom have wrongfully accessed protected health information face not only possible criminal sanctions under HIPAA, but also prosecution under several other federal criminal laws.
A recent case prosecuted by the U.S. Attorney's office in the Eastern District of Arkansas may indicate an increased level of enforcement by the government of the criminal sanctions contained in the federal medical privacy law. These sanctions are contained in the administrative simplification provisions of the Health Insurance Portability and Accountability Act, ("HIPAA") . In December of 2008, an Arkansas woman was sentenced to probation and community service for her role in disclosing protected health information.
Andrea Smith and her husband were indicted for violations of the HIPAA administrative simplification act, as well as conspiracy to wrongfully use and disclose protected health information. According to the indictment, at the time of offense, Smith was a licensed practical nurse working in a medical clinic located in Jonesboro, Arkansas. She accessed the protected health information of a patient of the clinic, and then shared that information with her husband. Her husband then informed the patient that he was planning to use the information in an upcoming legal proceeding against the patient.
Smith pled guilty to the charge of wrongfully disclosing protected health information for malicious harm or personal gain. In exchange, the government dismissed the conspiracy count against both of them, and also dismissed a remaining count against her husband. Smith faced a maximum penalty of ten years of imprisonment, a fine of no more than $250,000, or both, and a term of supervised release of no more than three years.
This is appears to be the fifth criminal case brought under HIPAA since the privacy rules went into effect in 20031. What makes the case especially interesting is that the government charged the employee of the health care clinic, but not the clinic itself (which terminated Smith upon learning of the charges).
The charges did not include any additional charges for fraud and identity theft. As the prosecuting U.S. Attorney Jane W. Duke explained, criminal prosecution of HIPAA violations is a "fairly new concept," but warned that the federal government intends to pursue HIPAA violations through "vigorous enforcement."2
While HIPAA was enacted in 1996, criminal enforcement of the statute is a relatively recent development. Two federal agencies are charged with enforcing the privacy provisions of HIPAA: the United States Department of Health and Human Services (HHS), the federal agency charged with the civil enforcement of HIPAA, and the U.S. Department of Justice, the federal agency charged with criminal prosecution of HIPAA violations. The two agencies have taken different approaches to enforcing the statute. As a result of this, employees and businesses not originally thought to be covered by HIPAA are now at risk for prosecution. This raises a host of compliance issues for businesses and individuals who have access to protected health information.3
HHS takes the position that only so called "covered entities" are subject to civil penalties under HIPAA. "Covered entities" are health plans, health care providers, sponsors of Medicare drug discount cards, and health care clearinghouses. HHS has made clear that persons or entities who otherwise may have lawful access to protected health information, but who are not covered entities, do not fall within the definition of a "covered entity" are not subject to civil penalties. This would include employees, vendors and third-party administrators. This includes "business associates" of covered entities, as that term is used in the privacy rule.4
However, for the purposes of criminal enforcement, the Department of Justice has traditionally taken a different position. It has demonstrated its position through a handful of criminal prosecutions as well as a memorandum outlining the basis for such prosecutions.
The HIPAA criminal statute, 42 U.S.C.A. § 1320d-6, reads in pertinent part:
"A person who knowingly and in violation of this part—
- uses or causes to be used a unique health identifier;
- obtains individually identifiable health information relating to an individual; or
- discloses individual identifiable health information to another person, shall be punished as provided in subsection (b) of this section."
"This part" refers to the administrative simplification provisions of HIPAA, under which the HIPAA rules were promulgated. In order to "obtain or disclose" protected health information "in violation of this part," one has to be subject to the HIPAA rules. The rules apply only to "covered entities." There are four kinds of covered entities: health care providers that engage in electronic standard transactions, sponsors of Medicare drug discount cards, and health care data clearinghouses.5
Logically, this suggests that only covered entities are subject to criminal prosecution.6 However, in June of 2005, the Office of Legal Counsel ("OLC") of the Department of Justice provided guidance on this exact issue in the form of an opinion discussing prosecution of HIPAA privacy violations.7
The OLC opinion confirmed that covered entities (health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors) may be prosecuted for criminal liability under Section 1320d-6. Id. The opinion then went on to suggest that "depending on the facts of a given case, certain directors, officers and employees of these entities may also be liable directly under section 1320d-6, in accordance with principles of corporate criminal liability. Other persons may not be liable directly under this provision." In this sense, the OLC opinion provides a narrow set of persons whom may be prosecuted directly under the statute.
However, the OLC opinion suggested that those who may not be prosecuted directly under Section 1320d-6 could still be prosecuted under "principles either of aiding and abetting liability and conspiracy liability." In particular, the OLC opinion referred to language in 18 U.S.C. § 2 (commonly referred to as the "aiding and abetting statute") which allows anyone who "willfully causes an act to be done which if directly performed by him or another would be an offense against the United States," to be punished as a principal.
In addition, the OLC opinion cited the conspiracy statute, 18 U.S.C. § 371, which allows for prosecution "if two or more persons conspire...to commit any offense against the United States...and one or more of such persons do any act to effect the object of the conspiracy." The OLC declined to provide insight into the use of these federal statute to criminally prosecute people under HIPAA, indicating that in the "absence of a specific factual context [it] would be unfruitful" to continue further discussion. Id.
The government typically uses the aiding and abetting statute, 18 U.S.C. § 2 to prosecute parties accountable for their conduct, even if they acted through the agency of others. The statute reads in pertinent part:
"Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal." 18 U.S.C. § 2(b).
Under the aiding and abetting statute then, a defendant may be held guilty for violation of a federal statute, even if he/she was not necessarily in the class of persons to whom a substantive statute is directed.8 For example, courts have applied 18 U.S.C. § 2(b) in various circumstances, including finding an employee of a firearms dealer guilty for causing the violation of 18 U.S.C. § 922, even though the statute applied only to firearms dealers on its face.9
When combining the aiding and abetting statute, Section 2(b), with the HIPAA criminal statue, Section 1320d-6, the result is that if an "employee of a covered entity (who is not himself a covered entity) intentionally causes a wrongful disclosure of a patient's confidential health information, this action, if directly performed by another—that is, by the covered entity—it would constitute an offense against the United States....So long as the underlying conduct would have constituted an offense if it had been committed directly by the covered entity, the employee of the covered entity who was responsible for the conduct is still subject to prosecution as a principal under Section 2(b)." 10
This extension of criminal liability to individuals was recently articulated in the American Recovery and Reinvestment Act ("the Act") signed by President Obama on Feb. 17, 2009. The Act included several important changes to the HIPAA privacy and security regulations. Among other things, the Act brought criminal enforcement in line with the OLC's opinion, by amending the criminal provisions of the HIPAA statute to clarify that a person who obtains or discloses protected health information from a covered entity without authorization commits a violation of the criminal provisions of HIPAA. In addition, the Act increased civil penalties for violations of HIPAA, and now includes penalties for violations due to "willful neglect" to observe the obligations of the statute.11
The OLC opinion also suggested that "depending on the specific facts and circumstances, such conduct may also be punishable under other federal laws." These laws include, for example, those statutes dealing with identity theft and fraudulent access of a computer. The computer fraud and abuse statute ("CFAA") states in pertinent part:
"Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5000 in any 1-year period; shall be punished as provided in subsection (c) of this section." 18 U.S.C. § 1030(a)(4). The maximum penalty for violations of 18 U.S.C. § 1030(a)(4) is five years imprisonment. 18 U.S.C. § 1030(c)(3).
It is easy to see how the computer fraud statute could be used in conjunction with the HIPAA criminal statute, since HIPAA violations often involve the unauthorized use of a computer system. For example, an individual can be held liable under the CFAA for "exceeding authorized access" if initial access to a computer is permitted, but access of certain information is not permitted.12 The statute sets forth a minimum damage requirement of $5,000, which can easily be satisfied by taking into account forensic and related costs.13
Likewise, the federal identity fraud statute is suited to prosecuting conduct that might also involve a HIPAA violation. The federal identity fraud statute makes it a crime to "knowingly transfer an identification document, authentication feature, or a false identification document knowing that such document or feature was stolen or produced without lawful authority."14 Thus, the transfer of protected health information in order to facilitate identity theft would implicate this statute, as well.
Since the OLC opinion was published, the government has prosecuted a handful of employees of "covered entities" using exactly the mechanism suggested in the opinion---the aiding and abetting statute. In addition, in certain cases, the government has also alleged violations of computer and identity fraud criminal statues as additional ammunition in its fight against HIPAA privacy violations. The government has also cited conspiracy charges but, as is typical in criminal cases, these charges have been used as leverage against co-conspirators who are willing to testify against the target defendant.
For example, in January of 2007, the first criminal HIPAA jury verdict was entered in the case U.S. v. Ferrer. A Florida jury found the defendant, Mr. Fernando Ferrer, guilty of one count of wrongful disclosure of individually identifiable health information, five counts of aggravated identity theft, one count of computer fraud, and one count of conspiring to defraud the United States.15
Mr. Ferrer owned a healthcare administrative company at the time of the violations, and misappropriated the protected data of more than 1,400 patients of a satellite Cleveland Clinic operation. He worked with his cousin, who was an employee of Cleveland Clinic, in order to obtain the protected health information. Ferrer used the information to submit more than $7,000,000 in fraudulent Medicare claims. His cousin pled guilty to conspiracy and testified at trial against Ferrer. Ferrer was sentenced to 87 months in prison, 3 years of supervised release, and ordered to pay more than $2.5 in restitution.16
The other criminal HIPAA cases brought by the government against employees have resulted in guilty pleas. In a 2006 Texas case, an employee of a doctor's office pled guilty to selling the confidential medical information of an FBI agent to a person she believed was working for a drug trafficker. The employee accepted $500 for the information, which she was charged solely with a HIPAA criminal violation, and not a computer fraud violation, as well.17
And in what was the first criminal conviction under HIPAA, a Seattle man pled guilty to the wrongful disclosure of individually identifiable health information for economic gain. The defendant was an employee of the Seattle Cancer Care Alliance, and admitted that he obtained a cancer patient's name, date of birth and social security number. He used that information to obtain four credit cards in the patient's name, and purchased a variety of items on those cards, totaling more than $9000.18 Although this was a classic case of identity theft, the defendant was charged only a criminal HIPAA violation. Interestingly, he never actually disclosed the patient's medical information, but rather used the demographic information contained in medical records to commit identity theft.
In the latest "HIPAA twist," in at least one government investigation we are aware of, the government has alleged that reviewing patient files with a sales representative could potentially expose a company to criminal liability under HIPAA. At best, this is a tortured interpretation of HIPAA, but it may also reflect the government's increasing use of potential HIPAA violations as an "add on" to larger criminal cases.
Celebrities are often the victims of privacy violations. In April of this year a former administrative specialist at UCLA medical center was indicted by federal grand jury for allegedly selling private medical information about actress Farah Fawcett to a national media news outlet, in violation of 1320d-6 and 18 U.S.C. § 2(b). According to the indictment, Ms. Jackson received at least $4,600 from a national news publication through checks made out to her husband. Ms. Fawcett and her lawyers alleged that Ms. Jackson leaked protected health information about her fight with cancer to certain tabloids. The former employee faces up to 10 years in prison. It is not clear whether the government will prosecute the national media outlet (widely believed to be the National Enquirer), but the company could potentially face conspiracy charges for aiding and abetting Jackson.19
In the same month, 14 UCLA workers resigned, retired or were fired and nine physicians were suspended, after an internal audit found they had unlawfully accessed Britney Spears' health records. Apparently an internal audit conducted by the university health system revealed that hospital workers had improperly viewed health records of more than 60 patients, mostly celebrities and politicians.20
Part of the problem may have been shared records between the various hospitals within the UCLA health system, including the UCLA Medical Center. An audit conducted by the California Department of Public Health ("CDPH") revealed that within two days of Spears' admission for the birth of her first son at the Santa Monica facility, workers there and at the UCLA Medical Center (whom had access through a shared medical records system) accessed her records.21
As a result of these actions on the part of employees, the UCLA health system was cited by the CDPH for a number of deficiencies, including 1) failure to maintain the privacy and confidentiality of a patient's medical records; 2) failure to report a breach of confidentiality to CDPH; 3) failure to maintain a separate and distinct medical records information system; and 4) failure to safeguard medical records against use by unauthorized individuals.
UCLA is now obligated to develop and maintain a corrective action plan, which includes a new training module focused solely on patient privacy that reinforces HIPAA requirements, a new process for handling high-profile patients' permanent aliases, and a new portal in the medical records system that give a HIPAA compliance warning and includes a "reason for access" question that asks the user why he or she is accessing the record. 22
Given the government's newfound enforcement mechanism to criminally prosecute employees who wrongfully disclose individually identifiable health information for economic gain, health care providers need to review their privacy and information security programs to ensure patients' privacy. As these cases reveal, small physician practices and clinics are just as likely to be targeted as larger hospitals and medical groups.
It is vitally important for health care entities to implement an effective and flexible information security compliance program. Any such program should seek to reduce the ability of employees to engage in criminal conduct. As such, a compliance program should include, at the minimum, a strong message that the employer will not tolerate privacy violations and distribution of materials regarding the criminal implication for intentional HIPAA violations and the misuse of computer systems.
Footnotes
1 See Amy Lynn Sorrel, American Medical Association, July 14, 2008, "Criminal HIPAA case targets employee, not clinic, for breach."
2 U.S. Department of Justice Press Release, April 15, 2008, "Nurse Pleads Guilty to HIPAA Violation."
3 John Aloysius Cogan, Jr., "Federal Agencies Diverge on the Application of HIPAA's Civil and Criminal Penalties," New England In-House, October 2004.
4 In a very recent and noteworthy civil investigation brought by HHS and the Federal Trade Commission ("FTC"), CVS Pharmacy settled allegations against for improper disposal of identifying patient information on pill bottle labels for $2.25 million, The company also signed a consent order which applies to all of its 6,000 pharmacies to implement a robust corrective action plan, including safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.
5 The privacy regulations also seek to protect the confidentiality of medical information that is disclosed to business associates—those companies that perform important functions for covered entities— by requiring a covered entity to enter in a written agreement guaranteeing the same level of confidentiality for medical information as the covered entity is required to provide. See 42 C.F.R. § 164.504(e)(2)(ii)(A)
6 This issue is discussed by Peter A. Winn, Assistant United State Attorney, "Who is Subject to Criminal Prosecution under HIPAA", available on http://www.abanet.org/health/01_interest_groups/01_ehealth.html .
7 See U.S. Department of Justice, "Memorandum for Alex M. Azar, II General Counsel, Department of Health and Human Services, from Timothy J. Coleman, Senior Counsel to the Deputy Attorney General, Re: Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6 (June 1, 2005).
8 United States v. Odem, 736 F. 2d 150 (5th Cir. 1984).
9 See U.S. v. Scannapieco, 611 F. 2d 619 (5th Cir. 1980).
10 Winn, infra note 5.
11 Previously, civil violations of HIPAA could only be enforced through the Secretary of Health and Human Services. Under the new Act, HIPAA violations are now enforceable in civil actions brought by state attorney generals, both to enjoin violations and to obtain damages.
12 Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962R (D.C. Ariz. 2008).
13 18 U.S.C. §1030(a)(4) is the only section of the computer fraud statute which has been used in HIPAA criminal convictions.
14 18 U.S.C. § 1028(a)(2).
15 United States Attorney's Office, Southern District of Florida, Press Release, May 3, 2007.
16 Id.
17 Department of Justice Press Release, "Alamo Women Convicted of Selling FBI Agent's Medical Records," March 7, 2006; see also Indictment for United States v. Liz Arlene Ramirez, Case No. M-05-708, United States Southern District of Texas.
18 Plea Agreement, United States v. Richard W. Gibson, case number CR04-0374 RSM, United States District Court, Western District of Washington.
19 Charles Ornstein, "Ex Worker Indicted in Celebrity Patient Leaks," Los Angeles Times, April 30, 2008.
20 Jennifer Steinhauer, "California Hospital Faces Sanctions After Workers Wrongly Looked at Patient Records," New York Times, April 8, 2008.
21 Atlantic Information Services Health Business Daily, "UCLA System Facilities are Cited by State for Patient Privacy Breaches," June 23, 2008.
22 Id.
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.
