Could HIPAA make criminals out of people you know?

Nobody wants to be right at the expense of companies that are trying to improve people's health.

But toward the end of 2014, lots of companies that persistently deal with "Protected Health Information" (PHI) have been slapped with "I-told-you-so" fines that should have been on everyone's radar for more than a year now. Some companies facing enforcement actions aren't even medical firms, but perform work indirectly for healthcare companies where they handle PHI.

Enforcement Rises at an Alarming Rate

Many may soon regret not listening a bit earlier to the many warnings that HIPAA security and privacy enforcement is seriously escalating. Now grace periods are over, and states' attorneys general are using the authority given to them under the HITECH Act provisions to prosecute cases.

California, Texas, Massachusetts and Rhode Island Get Serious about HIPAA

California has also reduced the warning time to 5 to 15 days—depending on the type of the medical business involved—instead of the two months that violators used to get as a grace period.

Parkview Health, an Indiana company, has been slapped with an $800,000 fine for not adequately protecting patient privacy. Massachusetts is extracting more than $150,000 from a women's clinic for a HIPAA breach. Tiny Rhode Island has made itself the leading prosecutor of such cases. Even Puerto Rico's insurance agency is getting into enforcement in a big way, with a $6.8 million HIPAA fine.

Criminal Charges Pursue Some Violators

And in an extra-alarming new turn of events, the attorney general's Eastern District of Texas office announced that it is bringing criminal charges for HIPAA violations.

Yes, that's right. Criminal charges. And while they are not yet common, it is possible to go to jail for breaking HIPAA law. And since HIPAA is a federal law, violations could be prosecuted

by federal criminal courts.
To date, most legal penalties imposed under HIPAA law have been fines. But in about a dozen egregious cases—where the courts found that a person had acted knowingly and in violation of HIPAA—they have imposed criminal penalties. The Office of Civil Rights has referred more than 540 complaints to the Department of Justice, with three new ones in November, 2014.

And experts expect stepped-up HIPAA audits and enforcement starting in early 2015, according to announcements made in late 2014.

What does it take to run afoul of HIPAA laws?

Any of the following "knowing" violations of HIPAA could possibly land someone in jail or result in fines according to Edward F. Malone, Esq. of Jenner & Block, LLC:
- Using or causing a unique health identifier to be used
- Obtaining individually identifiable health information relating to an individual
- Disclosing individually identifiable health information to another person

How Severe Are the Penalties?
The severity of the punishment depends on the seriousness of the offense. So far, a doctor served a four-month sentence in a 2010 case, and Criminal penalties have only rarely been imposed, and only for the most extreme cases. Violations of HIPAA could result in the following according to Malone:

- A fine of up to $50,000 and/or imprisonment for up to a year for a simple violation
- A fine up to $100,000 and/or imprisonment of up to five years if the offense is committed under false pretenses
- A fine of up to $250,000 and/or imprisonment of up to ten years for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm

In addition, there could also be additional fines or criminal sanctions if, for example, HIPAA information was used to commit wire or mail fraud.

How to Stay Out of Trouble—And Even Jail

The best way to stay out of trouble is to get your own house in order. Many companies don't realize that they could be covered by HIPAA, either as a "covered entity" or as a "business associate" of someone who is. (Loosely speaking, a business associate is someone performing services directly or indirectly for a healthcare company that accesses information protected under HIPAA.) And since the rules have changed over the years, some companies that you'd think would know they're covered business associates under HIPAA, don't have a clue.

Commonly Overlooked Business Associates
One of the most frequently overlooked business associates is a company's telecommunications provider. In general, storing data such as faxes, voicemail and other personal health information makes your telecommunications provider a business associate.

How will you know? One good indicator is whether or not they're willing to put it in writing with a Business Associate Agreement. If they're not, it could signal uncertainty involving the security and integrity of their own business processes. You definitely do not want to be caught up in someone else's non-compliance issues.

That's one reason why 8x8 has gone to such great lengths to become HIPAA compliant, to offer HIPAA-compliant solutions—AND to offer Business Associate Agreements. It was a long journey (about a year-and-a-half) to achieve compliance and become a HIPAA-compliant Business Associate, but our customers deserve the peace of mind that such agreements offer. Nobody should have to worry about crippling fines or jail because of someone else's noncompliance.

 

Mike is the 8x8, Inc. Executive Director of Information Security and the Data Privacy Officer responsible for HIPAA, FISMA, PCI, International Data Privacy and all other Compliance. Prior to joining 8x8 Mike was an executive at Visa, Inc. Global Information Security Business Leader (Senior Director) responsible for approx. half of Visa's Global Information Security and Compliance. Prior to that Mike was an executive with HP Americas Professional Services in the Information Security, CIO/CISO Advisory practice areas for 12 years. Mike is an active member of the American Bar Assoc. (AMA) SciTech Law –Information Security (ISC) and eDiscovery & Data Governance Committees. Mike is a board member of President Obama's strategic infrastructure cyber defense InfraGard Group partnering with the FBI and Homeland Security. He is a board member of the HIMSS Healthcare organization and a past board member and board advisor to the Silicon Valley International Systems Security Association's (ISSA) Board of Directors, an original member of the Cloud Security Alliance (CSA), active member of the Information Systems Audit & Control Assoc. (ISACA. Mike is a member of the U.S. Secret Service's Cyber Crime Task Force and a partner in the Northern California Regional Intelligence Center (NCRIC). Mike is a frequent Information Security, Compliance and Data Privacy speaker. This includes speaking at the world's largest Information Security Conference RSA, ISSA International and other major events.

 

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months