Federal prosecutors in the Eastern District of Texas recently brought criminal charges under the Health Insurance Portability and Accountability Act (“HIPAA”) against a former East Texas hospital employee. The former employee has been indicted on charges of wrongfully disclosing Protected Health Information (“PHI”). Allegedly, he obtained PHI with the intent to use the information for personal gain.
Although HIPAA states that entities and individuals bound by the law may face up to 10 years in prison in addition to monetary fines for knowingly obtaining or disclosing PHI with the intent to sell, transfer, or use the data for personal gain or malicious harm, criminal charges have been brought under HIPAA infrequently. Instead, enforcement activity has mostly focused on assessing civil fines and mandatory corrective action plans for entities that unintentionally violate HIPAA by permitting the unauthorized access or disclosure of PHI. However, there have been several high profile criminal cases brought under HIPAA. For example, in 2004, the first HIPAA criminal case was brought against a phlebotomist in Seattle who pled guilty to using a patient’s information to obtain and charge purchases to multiple credit cards. The phlebotomist ultimately was sentenced to 16 months in prison.
Informing employees of both their obligations under HIPAA and potential criminal liability under HIPAA are important parts of HIPAA training for all entities covered by the law. Such training can put individuals on notice of the significant ramifications that they may personally face in the event that they improperly access, use, or disclose PHI.