Criminal Indictment for HIPAA Violation

Prosecution of criminal violations of HIPAA are rare, but on July 3, 2014 the U.S. Department of Justice announced the indictment of a former employee of an East Texas hospital for HIPAA violations.   The employee, Joshua Hippler, was charged with Wrongful Disclosure of Individually Identifiable Health Information.   Mr. Hippler can face up to ten years in prison if found guilty.

42 U.S.C. §1320d-6 provides for the criminal prosecution of individuals who knowingly use a unique health identifier, obtain individually identifiable health information or disclose individually identifiable health information.  Notably, prior to passage of the HITECH Act, this provision was understood to only apply to covered entities.  However, the HITECH Act clarified this and added the following language, “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.”

Criminal prosecution and convictions under HIPAA have been few and far between to date.  However, those that have occurred serve to remind of the seriousness of HIPAA violations.  In 2009, an Arkansas doctor and two hospital employees pled guilty to misdemeanor violations of HIPAA after accessing patient records because they were curious.  All three accessed patient records without a legitimate purpose.   All three had received HIPAA training from their employer, and their employer had a system in place to track access to patient records.

In 2008 an Arkansas nurse pled guilty to a HIPAA violation for allegedly accessing a patient record and sharing the information with her husband who then allegedly called the patient and said he would use the information in a legal proceeding.   The U.S. Attorney for the Eastern District of Arkansas, Jane Duke, noted that, “Long gone are the days when medical employees were able to snoop around the office files for ‘juicy’ information to share outside the office.  We are committed to providing real meaning to HIPAA.”

Speak Your Mind