U.S. Charges Employee With Violating HIPAA’s Privacy Provisions

In the first criminal prosecution under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a Seattle man has been indicted and has pled guilty to wrongfully disclosing an individual’s health information for economic gain.

The defendant, Richard Gibson, apparently obtained the name, birth date and Social Security number of a cancer patient and then disclosed the information to obtain credit cards in the patient’s name. Gibson then went on a shopping spree, making over $9,000 in purchases in the patient’s name.

Under the criminal provisions of HIPAA, a “person” who “knowingly and in violation of” HIPAA obtains or discloses the health information relating to an individual can be punished by fines of up to $250,000 and 10 years in prison.

Gibson’s plea agreement imposes a term of 10 to 16 months in prison (or home confinement) and requires that he make restitution. A hearing on whether the court will accept the plea agreement is scheduled for later this fall.

At first blush, the Gibson case may not seem significant. After all, the HIPAA privacy regulations have been in effect for over a year now.

Yet, Gibson’s indictment is important with respect to the issue of who is subject to criminal penalties under HIPAA. The Gibson case tells us that the Department of Justice (DOJ) reads the term “person” in HIPAA’s criminal provisions to include everyone.

Conflicting Interpretations

This interpretation, however, is at odds with the position taken by the U.S. Department of Health and Human Services (HHS), the federal agency charged with the civil enforcement of HIPAA.

Since well before April 14, 2003, the initial compliance date for the HIPAA Privacy Rule, HHS has taken the position that only so-called “covered entities” (CEs) are subject to civil penalties under HIPAA. HHS views the word “person” in HIPAA’s civil penalty provision as applicable only to CEs.

CEs include not only health care providers and health care clearinghouses (entities that convert data for billing or other purposes), but also health plans. Conversely, HHS has made clear that persons and entities with access to “protected health information” (PHI), but not falling within the definition of a CE, are not subject to civil penalties. These non-CEs include employees, business associates, vendors, and third-party administrators. As a result of HHS’ widely publicized interpretation, most HIPAA compliance and training programs are geared solely to ensuring compliance by CEs.

Yet, indications of a potential conflict between the HHS and DOJ interpretation of the term “person” in HIPAA have been looming on the horizon. For nearly a year now, DOJ attorneys have suggested in informal settings, such as legal conferences and listservs, that HIPAA’s criminal penalties are applicable to anyone violating the HIPAA provisions, not just CEs.

Under the DOJ’s interpretation of “person,” employees, business associates, and anyone else who knowingly uses or discloses PHI will subject to criminal penalties. The DOJ publicly announced its broad enforcement policy by indicting Gibson, a non-CE, under HIPAA rather than some other, and perhaps more appropriate criminal statute.

Implications Of Case

As a result of DOJ’s interpretation of “person,” the field of possible targets for a government enforcement action has been expanded to include persons and businesses not originally thought to be covered by HIPAA.

Whether the courts will uphold DOJ’s view that a non-CE may be convicted under the HIPAA criminal statute is still an open question. The Gibson case, however, confirms that DOJ is willing to apply the criminal statute in a manner that differs from the way HHS applies the civil penalty statute. This means that businesses and persons thought previously to be exempt from HIPAA should consider implementing a training program and taking steps to establish oversight procedures for any activity involving the use or disclosure of PHI.

Those businesses should also ensure that their employees observe HIPAA’s requirements. In short, anyone who handles PHI – regardless of their status as a CE – must formulate and adhere to policies and procedures in order to minimize their exposure under HIPAA’s criminal provisions.

John A. Cogan Jr. is an associate in the health care practice group at Partridge Snow & Hahn LLP in Providence, R.I. He focuses on health care regulatory compliance, providing counsel in areas such as HIPAA, Medicare and Medicaid.