The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, as reported by Fox Rothschild LLP, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines. Read more about this case here.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA. The U.S. Department of Justice (DOJ) handles criminal investigations and penalties. This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.
OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation. HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.
The DOJ might seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers, (such as the anti-kickback statute).
When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence. On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation. In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information.
Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of Individually Identifiable Health Information (IIHI) may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law. Covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.
At HIPAAcraticRx, we understand that medical professionals face very real challenges when it comes to HIPAA compliance. The expanding amount of patient health information stored and transmitted electronically (ePHI) leaves your practice vulnerable to major security breaches and regulatory actions. Lack of proper employee training due to high staff turnover, and laxity in maintaining updated HIPAA certifications is equally dangerous.
While implementing a compliance program may seem overwhelming, the fix can be simple. HIPAAcraticRX helps navigate the ambiguity of HIPAA with its 5-tier path to compliance. Each tier builds upon the one before it, to forge a solid foundation of trust and integrity. Take the stress out of HIPAA compliance by enlisting HIPAAcraticRx, as your ongoing partner in ePHI privacy and security.