Last week we reviewed all the civil and criminal penalties associated with HIPAA violations/breaches.  We promised to tell you, this week, Be Carefulabout the few cases that involved jail time. These violations were from people who weren’t careful.

Violations of HIPAA that are most likely to result in jail times include:

– Using or causing a unique health identifier to be used
– Obtaining individually identifiable health information relating to an individual
– Disclosing individually identifiable health information to another person.

There have been only a dozen or so HIPAA prosecutions and just a few have resulted in jail time, so far.  Here are some of the cases we reviewed:

In December of 2008, an Arkansas woman was sentenced to probation and community service for her role in disclosing protected health information.  This LPN and her husband were indicted for violations of the HIPAA administrative simplification act, as well as conspiracy to wrongfully use and disclose protected health information. According to the indictment, at the time of the offense, the wife accessed the protected health information of a patient of the clinic, and then shared that information with her husband. Her husband then informed the patient that he was planning to use the information in an upcoming legal proceeding against the patient.  The wife pled guilty to the charge of wrongfully disclosing protected health information for malicious harm or personal gain. In exchange, the government dismissed the conspiracy count against both of them, and also dismissed a remaining count against her husband. The wife seemed to cut a pretty good deal, as she originally faced a maximum penalty of ten years of imprisonment, a fine of no more than $250,000, or both, and a term of supervised release of no more than three years.

The first ever jail sentence was given in 2010 to a doctor who got fired and received a four-month sentence for accessing medical records that he “did not have a need to know”.  He looked at the medical records of his immediate supervisory, his co-workers and some celebrities.  Even though he showed no intent to use the information for personal reasons, just looking at records that you do not have a need to see for treatment, payment or operations of healthcare can earn you jail time.  

In August 2012, an owner of a New York medical supply company was sentenced to 12 years in prison for HIPAA violations and Medicare fraud.

In 2013, a nursing assistant at a Florida assisted living facility, was sentenced to 37 months for wrongful disclosure of HIPAA protected information.

In 2015, a Texas hospital worker was sentenced to 18 months in jail when he took patient records out of the facility with the intent to use them for personal gain.

Another 2015 case resulted in a 3 year probation and community service sentence for a South Carolina State worker.  This individual took over 200,000 records of Medicaid participants which he intended to use for personal gain.

Experts expect to see more prosecutions under HIPAA.  Medical records are more valuable on the “black market” because they reliably have the “BIG 3” – name, social security number and date of birth.  To protect your company, your employees and yourself, be sure that your entire workforce and all your business associates know how important it is to only access patient information that you have a “need to know”.  NEVER take PHI out of the office without appropriate safeguards and controls.  Ensure you have policies and procedures that protect your PHI and that your training is robust and performed on an on-going basis to help ensure you won’t get bitten by HIPAA!