2005 - FIRST-EVER HIPAA CONVICTION HIGHLIGHTS DIFFERING VIEWS OF HIPAA'S CIVIL AND CRIMINAL PENALTIES --> was RE: HIPAA violation(s)

[Guest guest]

FindArticles > Medicine and Health Rhode Island > Jan 2005 > Article > Print friendly

FIRST-EVER HIPAA CONVICTION HIGHLIGHTS DIFFERING VIEWS OF HIPAA'S CIVIL AND CRIMINAL PENALTIESCogan, Aloysius

On November 5, 2004, Gibson, a former cancer clinic employee, was sentenced to sixteen months in federal prison after pleading guilty to violating the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Prior to sentencing, Gibson admitted to disclosing the "protected health information" (PHI) of one of the clinic's patients. Gibson confessed to obtaining a cancer patient's PHI, including the patient's name, date of birth, and social security number, and disclosing the information to obtain credit cards in the patient's name. Gibson then used the credit cards to purchase thousands of dollars worth of various items for his personal use.

This conviction, the first ever under the privacy provisions of HIPAA, raises concerns about the diverging HIPAA enforcement theories held by the two federal agencies charged with enforcing HIPAA's privacy provisions. The Gibson conviction also puts physicians (and anyone else who handles confidential patient information) on notice that the field of possible targets for a government enforcement action under HIPAA is much broader than originally thought. That field now includes persons and entities not initially presumed to be covered by HIPAA.

HHS AND DOJ INTERPRET THE TERM "PERSON" IN HIPAA DIFFERENTLY

To understand the significance of the Gibson conviction, one must look to the source of HIPAA penalties: the statutory provisions that establish the government's ability to punish, either civilly or criminally, violations of HIPAA's privacy requirements. Both the civil and criminal provisions of HIPAA allow for the imposition of penalties against any "person" who violates HIPAA's privacy provisions.' While the use of an identical word ("person") in both provisions to define the object of potential penalties would seem to suggest that civil and criminal penalties could only be imposed against the same class or type of violators, this is not the case. The United States Department of Health and Human Services (HHS), the federal agency charged with enforcement of HIPAAs civil penalty provisions, and the Department of Justice (DOJ), the federal agency charged with enforcement of HIPAA's criminal penalty provisions, interpret the term "person" differently.

When the HIPAA Privacy Rule2 was first published, HHS made clear that it interpreted the term "person" narrowly. HHS stated that it only had authority to impose civil penalties against "covered entities."3 According to HHS' interpretation, only "covered entities" (CEs) fall within the definition of the term "person" as it appears in the HIPAA civil penalty statute. As a result, only CEs are subject to civil penalties. CEs include health plans (i.e., insurance companies and plans, Medicare and Medicaid contractors, and government agencies that pay for health care), clearinghouses (entities that convert electronic health care data from one format to another for billing or other purposes), and health care providers who electronically transmit health information in connection with certain transactions, including claims for payment, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAATransactions Rule.4 Thus, according to the HHS definition of CEs, only certain health care providers are subject to HIPAAs civil penalties. A physician who does not engage in the HIPAA-defined electronic transactions, either directly or indirectly, is not a CE. For example, a physician who is salaried and whose services are not billed to an insurer or a governmental payer, is not a CE. Because that physician is not a CE, he or she is not a "person" under the HIPAA civil penalty statute and is not subject to any civil penalties under HIPAA.5

Now, however, DOJ has taken a different position with respect to the meaning of the term "person." For nearly a year now, DOJ attorneys have privately suggested that HIPAAs criminal penalties are applicable to anyone, not just CEs. Under this broad interpretation, non-CEs, employees, business associates, and anyone else who knowingly uses or discloses PHI in a manner prohibited by HIPAA is subject to criminal penalties. DOJ applied this theory of "person" when it indicted and convicted Gibson. Gibson was not a CE. Instead, he was merely an employee of a health care provider.

IMPLICATIONS OF THE FIRST PRIVACY PROSECUTION UNDER HIPAA

Because Gibson's conviction resulted from a plea agreement, there was little judicial scrutiny of DOJ's theory that HIPAA's criminal provisions apply to anyone. As a result, the Gibson case only confirms publicly what individual DOJ attorneys have been saying privately: DOJ is willing to apply the HIPAA criminal statute in a manner that differs significantly from the way HHS applies the civil penalty statute. In the long run, it will be up to the courts to sort out whether DOJ's position is correct. For the time being, all we can do is assume that further HIPAA convictions of non-CEs are not out of the question. This new development means that any physician who previously thought he or she was exempt from HIPAA should reconsider his or her position. He or she should consider taking some HlPAA training courses and establishing oversight procedures for any of his or her activities involving the use or disclosure of confidential health information.

CRIMINAL PENALTIES UNDER THE RHODE ISLAND CHCCIA

For Rhode Island physicians, however, the landscape does not appear to have been radically altered by the Gibson case. The Rhode Island Confidentiality of Health Care Communications and Information Act (the CHCCIA)6 contains its own criminal penalty section, which, by its express terms, applies to anyone who intentionally and knowingly violates the provisions of the CHCCIA.7 Although little guidance exists on the application of the CHCCIA criminal provision,8 it would not be unreasonable to assume that this statute, like its HIPAA counterpart, will be interpreted broadly by prosecutors. Yet, there is one thing we can be sure of. Both the Gibson conviction and the now twenty-month old implementation of the HIPAA Privacy Rule have moved the issue of patient confidentiality into the spotlight. Physicians must take care to ensure that confidentiality of patient health information is a central part of their daily practice.

REFERENCES

1. Compare 42 U.S.C. § 1320d-5 (civil penalty provision) with 42 U.S.C. § 1320d-6 (criminal penalty provision).

2. It is important to remember that HIPAA and the HIPAA Privacy Rule are two separate things. HIPAA is a statute enacted by Congress in 1996 that was designed, among other things, to establish protections for certain health information. HIPAA contains general requirements and penalty provisions related to health information privacy. The HIPAA Privacy Rule, which became effective for covered health care providers in April of 2003, is a set of regulations promulgated by HHS to interpret and apply the health information privacy provisions contained in HIPAA.

3. See 65 Fed. Reg. 82462, 82579 (Dec. 28, 2000).

4. 45 C.F.R. §§ 160.102, 160.103; 42 U.S.C.§ 1320d-l(a)(3). The transaction standards are established by the HIPAA Transactions Rule. 45 C.F.R. Part 162. The use of other electronic technologies by a physician, such as e-mail or a fax machine, does not bring a physician within the definition of a "covered entity." However, physicians who do not directly transmit health information electronically in connection with payment or other covered transactions will be considered "covered entities" if they engage in such electronic transmissions of information indirectly. Indirect transmissions would include the use of a billing service or by having a third party submit electronic claims the physician's behalf.

5. Any civil penalties accruing for violations of the HIPAA privacy standards by this physician would be imposed against his or her employer, if the employer were determined to be a CE.

6. R.I. Gen. Laws § 5-37.3-1, et seq.

7. R.I. Gen. Laws § 5-37.3-9(.

8. No case law currently exists interpreting or applying the CHCCIA's criminal penalties.

JOHN ALOYSIUS COGAN, JR, MA, JD

CORRESPONDENCE:

Aloysius Cogan, Jr, MA, JD

Partridge Snow & Hahn LLP

180 South Main Street

Providence, RI 02903

Phone:

Fax:

e-mail: jac@...

Copyright Rhode Island Medical Society Jan 2005Provided by ProQuest Information and Learning Company. All rights Reserved

From: [mailto: ] On Behalf Of Dr LevinSent: Wednesday, August 08, 2007 10:36 PMTo: Subject: Re: HIPAA violation(s)

My understanding is that there have been 2 HIPAA prosecutions, 1 criminal finding, but this was thrown out.

Many many complaints but no teeth to law (got that on AMNews).

But you decide for yourself

HIPAA violation(s)

Does anyone know if the victim of a HIPAA violation (the one whose privacy was violated) gets the money (max $50 K or max $250 K if “malicious”) or if the gov’t gets the fine? Does malpractice insurance cover it? I think malpractice doesn’t cover a physician if a law is broken, is that true?

Disgusting but true event: teenaged female is sexually assaulted but is intoxicated so no SANE consult/assault exam was done in ER. Parent told “she’s just drunk, take her home.” Law enforcement issues a “minor in possession” citation based on blood alcohol value obtained in ER, but no consent to disclose BAC was obtained. 5 days later parent calls female’s ob/gyn to see if victim should be examined. Ob doc then gossips to office staff when victim no-shows 1 week after assault. My opinion: 2 HIPAA violations and at least one malpractice event. And yes, I am willing to testify for the victim.