HIPAA violators not immune from criminal charges
In light of recent reports of a hospital employee facing criminal charges for violating privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA), it’s clear that not only do violators of the law risk losing their job if they’re caught, they could end up in jail. The case isn’t the first federal prosecution under the Act – back in 2010, a Californian doctor received four months in jail after pleading guilty to four misdemeanor counts of snooping into the medical records of his supervisors and several well-known celebrities. While these cases are not common, they serve as a stark reminder to employees of HIPAA covered entities that the courts take HIPAA violations seriously and do not hold back delivering fines and criminal sanctions to those found guilty of breaking the law.
According to the U.S. Department of Health and Human Services (HHS), HIPAA covered entities include health plans, health care clearinghouses and any health care provider responsible for the electronic transmission of any information in connection with a transaction for which HHS has an adopted standard. All HIPAA covered entities must comply with the Rule’s requirements to protect the privacy and security of health information of individuals, and must provide individuals with certain rights with respect to their health information. Any person who willingly commits one or more of the following acts can be criminally prosecuted under HIPAA:
- use or cause to be used a unique health identifier,
- obtain individually identifiable health information relating to an individual, or
- disclose individually identifiable health information to another person.
If convicted, the level of punishment depends on the seriousness of the offense:
- fine of up to $50,000 and/or imprisonment for up to a year for a simple violation
- fine up to $100,000 and/or imprisonment up to five years if the offense is committed under false pretenses
- a fine of up to $250,000 and/or imprisonment up to ten years for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
In addition to establishing a clear set of guidelines and standards for employees to abide under, employers of HIPAA covered entities should provide regular trainings and seminars that include an overview of the Rule’s requirements and any relevant criminal cases associated with violations of the law. Management Liability Policies usually provide a sublimit of $25,000 – $100,000 for investigations and penalties relating to violations of HIPAA . Employers should take a moment to review their current Management Liability policies to ensure there coverage is sufficiently broad coverage for HIPAA investigations and civil penalties for violations of HIPAA.
About the Author
Mark Stiles is an Assistant Vice President at WGA and a member of the ExecutiveRisk Practice. He works with private and nonprofit organizations to assist them and their executives with protection for their exposures to Directors’ & Officers’ Liability, Employment Practices Liability, Fiduciary Liability, Crime, Kidnap & Ransom and Extortion.