While I was conducting some research on compliance laws for a customer, I found myself reviewing the penalties written into the 1996 Health Information Portability and Accountability Act, otherwise known as HIPAA. The act calls for health organizations “to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information”. So far so good. But what happens when a hospital doesn’t comply with implementing these safeguards, or if a medical worker makes a wrongful disclosure by obtaining “individually identifiable health information relating to an individual”?
It’s one thing to be aware of these laws and their penalties in an abstract way, and yet another to see the wheels of justice grind away when there are real-world violations.
Let’s look at the wrongful disclosure penalty clause of HIPAA first, which does mention imprisonment.
Has anyone ever gone to jail for snooping in a file and viewing electronic protected health information or e-PHI, which is essentially a medical-style PII?
The answer is … yes. The Department of Health and Human Services, which is in charge of enforcing the HIPAA rules through its Office for Civil Rights, has been particularly vigilant in recent years in protecting medical privacy rights.
Back in 2003, a California medical researcher and surgeon, who had been given a dismissal notice by his university employer, decided to access several hundred medical records over a three-week period before leaving his job. Since this was a Los Angeles hospital, its patient pool included many well-known celebrities and other high-profile figures—for starters, Leonardo DiCaprio, Tom Hanks, and Drew Barrymore.
HHS was notified of the incident and the case was ultimately referred to the US Department of Justice, which decided to prosecute the doctor. In 2010, the doctor pleaded guilty to misdemeanor charges in violation of HIPAA’s medical privacy protections, and specifically admitted to, that’s right, obtaining individually identifiable health information “without a valid reason, medical or otherwise”. From what we know about the incident, there was no evidence that the doctor was trying to sell the medical records.
The doctor was ultimately sentenced to three months in a federal prison —the first person to be incarcerated under HIPAA’s penalties.
In other words, merely peeking at a file led to a prison term. Of course, HIPAA does make allowances for employees accidentally viewing records, or for medical workers who need to interact with medical data as part of their job, but the evidence in this case showed intentional actions, not part of a job function, to access e-PHIs.
What about less drastic measures, say, fines? It is far more likely that a medical organization or health provider will be facing monetary penalties, not jail time, for their HIPAA violations, most commonly for not implementing proper security safeguards.
You can read about incidents here and here involving medical information breaches, which led HHS to levy fines in excess of one million dollars against a hospital and a state health department for not having procedures in place to secure personal medical information. In both cases, medical records leaked out into devices (a laptop and a USB drive) that were either lost or stolen.
There are a few lessons to be learned from these medical information security cases. In the incident involving the doctor, better file-level auditing and alerting might have led to detection much earlier instead of allowing for three weeks of unlimited access. And at least one of those breaches might have been prevented with a combination of policy and technology that restricted e-PHI access to certain users and/or certain devices.
If you’re an IT person or HIPAA officer in a medical organization and reading this, there’s no need to panic. According to the Office for Civil Rights, most complaints it receives are resolved without serious actions through either voluntary compliance or corrective actions. However, if you’d like to avoid the HIPAA enforcement process altogether, you may want to start accessing your risk areas. Here are a few questions you may want to ask yourself to get started:
- Do you know where your e-PHI data resides?
- Do you know who can access it?
- Do you know who does access it?
- What is the request process for someone who legitimately needs access to medical records?
- Does legitimate access get revoked when no longer needed? How?
These questions represent the tip of the iceberg, of course, when it comes to HIPAA regulatory compliance and data protection.
If any of them gives you pause, you might want to rethink your compliance strategy.