Health care fraud has long been a focus of the Department of Justice. In 2014, DOJ recovered nearly $6 billion (that’s billion with a “b”) from civil health care fraud cases.
DOJ has had its share of setbacks too. Just last week, a Northern Virginia dermatologist was acquitted of heath care fraud charges.
One area where DOJ has not been very active (yet) is prosecuting criminal violations of the Heath Insurance Portability and Accounting Act (HIPAA). The law protects the privacy of health care information and includes penalties for knowingly divulging confidential information. Given all the news about security breaches at large companies, is this the next frontier for DOJ in the health care realm?
Generally, HIPAA prohibits disclosure of a patient’s personal health information, absent express consent, for any purpose aside from treatment, payment, or healthcare oversight.
In accordance with HIPAA:
The term “individually identifiable health information” means any information, including demographic information collected from an individual, that–
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
42 U.S.C.A. § 1320d.
HIPPA applies to “covered entities.” The statute defines the following as entities:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d-2(a)(1) of this title.
42 U.S.C.A. § 1320d-1.
When the statute was released, there was some confusion as to whom HIPAA really applied. DOJ has clarified that entities themselves can be liable under the statute along with specified individuals.
Those individuals include employees and business associates of the entities. It’s also important to keep in mind that even a non-covered individual could be held indirectly liable for a HIPAA violation, though a theory of conspiracy or aiding and abetting.
Penalties for Violating HIPAA
The statute states the following with regards to how HIPAA can be violated:
A person who knowingly and in violation of this part–
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section.
The criminal penalties are as follows:
A person described in subsection (a) of this section shall–
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
42 U.S.C.A. § 1320d-6.
In addition to the criminal penalties, there are civil ones as well. The Office of Civil Rights of the Department of Health and Human Services can impose civil monetary penalties. However, HHS mostly engages in “educational” efforts regarding HIPAA and doesn’t often bring these enforcement proceedings.
HIPAA does not have a private right of action for the direct victims of these disclosures. Even though HIPAA preempts contrary state law, many state courts have allowed for negligence claims brought by these victims through common law tort liability. Some states have held that the standard for non-disclosure of medical information in HIPAA is the “standard of care” for these actions.
Examples of Criminal Convictions for HIPAA Violations
Criminal prosecutions under HIPAA are rare. However, a recent FBI investigation of Warner Chilcott, a pharmaceutical company, has resulted in a number of prosecutions. (I wrote about the president’s indictment recently.)
A couple of weeks ago, a former district manager at Warner Chilcott and the fifth person from the company charged as a result of the investigation, Landon Eckles, pleaded guilty to wrongful disclosure of identifiable health information under HIPAA.
Mr. Eckles was trying to push sales of Altevia, an osteoporosis treatment drug. The drug had poor insurance coverage in his area, and many pharmacies required prior authorization from a physician before filling a prescription for the non-generic drug. Prior authorizations contain the personal health information of the patient. Allegedly, Mr. Eckles told his sales reps to fill out prior authorizations themselves if physicians refused, and in doing so, they illegally accessed personal health information.
Mr. Eckles also violated HIPAA by accessing multiple patient files without permission and inserting Altevia brochures. He will be sentenced in March of 2016. It will certainly be interesting to see what sentence will be imposed, since it appears from the reported facts that, at a minimum, this was done under “false pretenses.”
In 2010, Dr. Huping Zhou became the first person to be sent to prison for violating HIPAA. He was a researcher at the UCLA School of Medicine who illegally accessed the medical records of his supervisor, various coworkers, and some well-known celebrities. He pleaded guilty to four counts of knowingly obtaining individually identifiable health information without a valid reason and was sentenced to four months in federal prison.
The Zhou prosecution was particularly interesting in that while Dr. Zhou did access the files without permission, there was no evidence that he disclosed the information to others or did anything else with it.
In a more extreme case from 2013, a nurse was sent to prison for 37 months when she negotiated the sale of social security numbers to an undercover police officer in Tampa, Florida. She obtained the numbers from the patient records of an assisted living facility. Because she attempted to use the information for commercial gain, her penalty was much more severe than that of Dr. Zhou.
Could Computer Breaches of HIPAA-Protected Information Lead to Criminal Charges?
There is story after story in the news about security breaches at major retailers, like Target. Hackers obtain credit card and other personal information. What if a hacker attacked a hospital or health care provider? Could that provider be criminal liable under HIPAA?
It seems unlikely, as long as the provider had reasonable security measures in place and notifies the patients of the breach.
HIPAA requires that the disclosure happened “knowingly,” which generally means that the defendant acted with knowledge of the conduct. This is a lower standard than “willfully” which requires intentional conduct, though not necessarily with an evil intent. But knowingly is a much higher standard than “negligently.”
Every computer system is vulnerable to attacks in some way. HHS recognizes that breaches of medical information will occur and has specific rules for when a security breach must be disclosed by a provider.
Except in a situation where a provider’s system is so lax as to be reckless (for example, a non-password-protected website where patients’ private medical information is freely available), it seems unlikely that a provider’s failure to prevent a breach would be criminal conduct. Certainly, the provider did not intend the information to be disclosed in any way and thus the conduct would not be “knowingly.”
It would not surprise me if DOJ continued to prosecute HIPAA violations aggressively, particularly when medical information is being sold for economic gain. That aggressiveness, however, seems unlikely to extend to computer breaches of providers’ systems. HHS’s rules require providers to disclose breaches to patients, to the Secretary of HHS and to “prominent media outlets” in certain circumstances.
Those incentives seem strong enough to ensure that health care providers will put into place strong enough hacking-defense systems to avoid any criminal liability in the first place.