A former hospital employee in East Texas has been indicated by federal prosecutors for criminal violations of the Health Insurance Portability and Accountability Act (“HIPAA”). Allegedly the former employee obtained PHI with the intent to use the information for personal gain between December 1, 2012 through January 14, 2013. He has been indicated on charges of Wrongful Disclosure of Individually Identifiable Health Information.
If convicted the individual might face up to 10 years in prison in additional to monetary fines for knowingly obtaining or disclosing PHI with the intent to sell, transfer, or use the data for personal gain or malicious harm. Such criminal charges have been brought under HIPAA infrequently, but there has been some high profile criminal charges brought by HIPAA since 2004.
Agents from the U.S. Department of Health and Human Services – Office of Inspector General (HHS-OIG) and the U.S. Postal Inspection Services conducted the investigations leading to the charges.
For a small to medium size practices, a HIPAA violation that could lead to a breach or criminal charges can also hurt the practice’s reputation and causes great embarrassment for the providers.
An important part of HIPAA compliance is to conduct a Risk Analysis to assess the vulnerabilities and threats to your PHI and list corrective actions. Another very important part is to conduct regular HIPAA training for all employees and inform them of both their obligations and potential (criminal) liabilities under HIPAA.