Yet another criminal HIPAA case:
Jane W. Duke, United States Attorney for the Eastern District of Arkansas, along with William C. Temple, Special Agent in Charge of the Little Rock Division of the Federal Bureau of Investigation, announced today the guilty plea of Andrea Smith, age 25, of Trumann, Arkansas. Smith, a licensed practical nurse, pleaded guilty to wrongfully disclosing individually identifiable health information for personal gain, a violation of the health information privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) contained in Title 42, United States Code, Section 1320d-6.. . .
Duke noted that criminal enforcement of HIPAA is a fairly new concept. In fact, the first Department of Justice HIPAA prosecution was initiated in 2004 in the Western District of Washington. Since then only a handful of such cases have followed.
Read the US Attorney's press release here.
This recent spate of criminal HIPAA prosecutions is interesting to say the least. Recall that in 2005 a memorandum opinion was prepared for the General Counsel of the Department of Health and Human Services and the Senior Counsel to the Deputy Attorney General that described a rather narrow scope under the HIPAA criminal provisions (emphasis is mine):
Specifically, you have asked, first, whether the only persons who may be directly liable under section 1320d-6 are those persons to whom the substantive requirements of the subtitle, as set forth in the regulations promulgated thereunder, apply—i.e., health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors—or whether this provision may also render directly liable other persons, particularly those who obtain protected health information in a manner that causes a person to whom the substantive requirements of the subtitle apply to release the information in violation of that law. We conclude that health plans, health care clearinghouses, those health care providers specified in the statute, and Medicare prescription drug card sponsors may be prosecuted for violations of section 1320d-6. In addition, depending on the facts of a given case, certain directors, officers, and employees of these entities may be liable directly under section 1320d-6, in accordance with general principles of corporate criminal liability, as these principles are developed in the course of particular prosecutions. Other persons may not be liable directly under this provision. The liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.
The memorandum opinion was notable at the time for defining a much smaller scope of potential criminal liability than what was anticipated in the legal community. The weight of the memo was undoubtedly a factor in the overall small number of HIPAA prosecutions in the years since the regulations went into effect.
That appears to be changing somewhat. Both Dwight McPherson (NewYork-Presbyterian Hospital/Weill Cornell Medical Center) and Lawanda Jackson(UCLA Medical Center) appear to have been low-level clerks whose actions would be difficult to impute to the Covered Entity itself.
An April 29, 2008 article in the Wall Street Journal hinted at more aggressive criminal enforcement of privacy breaches than what has been widely reported. iHealthBeat covered the article for those still waiting for WSJ to move to free content:
HHS said several hundred violations of the HIPAA medical privacy rule have been reported to the U.S. Department of Justice for criminal prosecution.However, a DOJ spokesperson said that the department has filed about 200 criminal cases since 2003 under a statute that includes HIPAA but that not all cases are necessarily HIPAA-related (Rubenstein, Wall Street Journal, 4/29).
Read the full iHealthBeat article here.