A recent decision serves as a reminder that violations of HIPAA may trigger criminal liability. The Ninth Circuit Court of Appeals held that a former hospital employee is subject to HIPAA’s criminal penalties for the unauthorized access to patient records after he was terminated. The former employee was sentenced to four months in prison, followed by a year of supervised release, as well as a $2,000 fine, for accessing the medical records of co-workers and celebrities.
HIPAA Criminal Liability
The criminal penalties apply to anyone who “knowingly and in violation of [HIPAA]” obtains individually identifiable information relating to an individual. 42 U.S.C. 1320-d-6(a) (emphasis added). Violators may be subject to fines up to $250,000, and a prison term of up to 10 years, depending upon what the violator intends to do with the information.
The focus of the decision was the former research assistant’s argument that this prohibition should be limited to acts he knew were illegal. He argued that his ignorance of the statutory prohibition should shield him from criminal liability. The court disagreed, clarifying that it is the knowledge of the act – not of its lawfulness – that triggers criminal liability under HIPAA. Referencing the Bill of Rights, Tolstoy, and Sweet Baby James, the court focused on the use of the conjunction “and”:
Without “and,” the Second Amendment would guarantee “the right of the people to keep bear arms,” Leo Tolstoy would have published “War Peace,” and James Taylor would have confusingly crooned about “Fire Rain.”
Quite artfully, indeed, the court made clear that the HIPAA criminal prohibition does not require that the defendant know that their actions were illegal.
What This Means
Although these criminal penalties have been on the books since HIPAA’s inception, enforcement certainly has not been robust. As discussed previously by Rachel Grunberger at InsidePrivacy, federal legislators have expressed dissatisfaction with the lack of enforcement (as of late 2011, the Department of Justice had prosecuted only 16 HIPAA violations). More so now than ever before, there appears to be a groundswell of support echoing these sentiments, and if the recent uptick in civil enforcement is any indication, more criminal prosecutions are likely on the way.
Moreover, this recent decision highlights that the burden on the prosecution is not a heavy one. Providers may want to consider using this example as one more tool to encourage their staff to be mindful that everyone is responsible for maintaining the privacy and security of their patient health information.