I was asked to comment for a story about a recent case in Texas in which criminal charges were filed against an individual for the misuse of Protected Health Information ("PHI"). Criminal charges have been available under the Health Insurance Portability and Accountability Act ("HIPAA") since it went into effect in 2003. However, as the law enters its second decade, we are seeing both the regulators and the regulated coming to understand privacy and security better, to include the harms involved with noncompliance. This story made me think it might be helpful to provide a brief summary of the legal risks in both the civil and criminal context for failing to comply with HIPAA.
Regulatory Action and Civil Penalties. Probably the most common enforcement actions we have seen have come from the Office of Civil Rights ("OCR"), which is tasked with HIPAA enforcement by the Department of Health and Human Services ("HHS"). In recent years, we have seen the OCR file more actions resulting in bigger and bigger penalties for organizations with compliance failures. Under HIPAA, OCR may impose a penalty for a failure to comply with a requirement of the HIPAA Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity's failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
The OCR will not impose penalties if the failure to comply was not due to willful neglect and if the error was corrected within thirty (30) days of the regulated entity having notice of the issue, or being in receipt of written notice of the violation from the OCR. Likewise, if the Department of Justice is pursuing criminal actions under HIPAA, the OCR will not impose civil penalties. If the OCR is going to impose penalties, covered entities still have right to an administrative hearing to review the alleged violations.
Criminal prosecution. Under HIPAA, the prosecutions of individuals under its criminal provisions are handled by the Department of Justice, not the OCR. Also, as the charges are criminal, they implicate an individual, as opposed to an organization, such as a covered entity or business associate. In order for someone to be convicted under HIPAA, a person must be proven to "knowingly obtain or disclose individually identifiable health information" in violation of the Privacy Rule.
In the Texas case, it would appear the stakes are of the highest order. The individual was charged with the wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. As I shared in the article, the "honeymoon" is indeed over. Companies and individuals, alike, are on notice to comply with HIPAA, and vigilantly work to keep up with emerging risks and threats to PHI in their possession.