Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

From the HIPAA Case Files: Jail Time, Fines, and Access Rights

While I was conducting some research on compliance laws for a customer, I found myself reviewing the penalties written into the 1996 Health Information Portability and Accountability Act, otherwise known...
Michael Buckbee
3 min read
Published January 16, 2013
Last updated March 10, 2023

While I was conducting some research on compliance laws for a customer, I found myself reviewing the penalties written into the 1996 Health Information Portability and Accountability Act, otherwise known as HIPAA. The act calls for health organizations “to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information”. So far so good. But what happens when a hospital doesn’t comply with implementing these safeguards, or if a medical worker makes a wrongful disclosure by obtaining “individually identifiable health information relating to an individual”?

It’s one thing to be aware of these laws and their penalties in an abstract way, and yet another to see the wheels of justice grind away when there are real-world violations.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

 

Let’s look at the wrongful disclosure penalty clause of HIPAA first, which does mention imprisonment.

Has anyone ever gone to jail for snooping in a file and viewing electronic protected health information or e-PHI, which is essentially a medical-style PII?

The answer is … yes. The Department of Health and Human Services, which is in charge of enforcing the HIPAA rules through its Office for Civil Rights, has been particularly vigilant in recent years in protecting medical privacy rights.

Back in 2003, a California medical researcher and surgeon, who had been given a dismissal notice by his university employer, decided to access several hundred medical records over a three-week period before leaving his job. Since this was a Los Angeles hospital, its patient pool included many well-known celebrities and other high-profile figures—for starters, Leonardo DiCaprio, Tom Hanks, and Drew Barrymore.

HHS was notified of the incident and the case was ultimately referred to the US Department of Justice, which decided to prosecute the doctor. In 2010, the doctor pleaded guilty to misdemeanor charges in violation of HIPAA’s medical privacy protections, and specifically admitted to, that’s right, obtaining individually identifiable health information “without a valid reason, medical or otherwise”. From what we know about the incident, there was no evidence that the doctor was trying to sell the medical records.

The doctor was ultimately sentenced to three months in a federal prison —the first person to be incarcerated under HIPAA’s penalties.

In other words, merely peeking at a file led to a prison term. Of course, HIPAA does make allowances for employees accidentally viewing records, or for medical workers who need to interact with medical data as part of their job, but the evidence in this case showed intentional actions, not part of a job function, to access e-PHIs.

What about less drastic measures, say, fines? It is far more likely that a medical organization or health provider will be facing monetary penalties, not jail time, for their HIPAA violations, most commonly for not implementing proper security safeguards.

You can read about incidents here and here involving medical information breaches, which led HHS to levy fines in excess of one million dollars against a hospital and a state health department for not having procedures in place to secure personal medical information. In both cases, medical records leaked out into devices (a laptop and a USB drive) that were either lost or stolen.

There are a few lessons to be learned from these medical information security cases. In the incident involving the doctor, better file-level auditing and alerting might have led to detection much earlier instead of allowing for three weeks of unlimited access. And at least one of those breaches might have been prevented with a combination of policy and technology that restricted e-PHI access to certain users and/or certain devices.

If you’re an IT person or HIPAA officer in a medical organization and reading this, there’s no need to panic. According to the Office for Civil Rights, most complaints it receives are resolved without serious actions through either voluntary compliance or corrective actions. However, if you’d like to avoid the HIPAA enforcement process altogether, you may want to start accessing your risk areas. Here are a few questions you may want to ask yourself to get started:

  •         Do you know where your e-PHI data resides?
  •         Do you know who can access it?
  •         Do you know who does access it?
  •         What is the request process for someone who legitimately needs access to medical records?
  • Does legitimate access get revoked when no longer needed?  How?

These questions represent the tip of the iceberg, of course, when it comes to HIPAA regulatory compliance and data protection.

If any of them gives you pause, you might want to rethink your compliance strategy.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

do-your-gdpr-homework-and-lower-your-chance-of-fines
Do Your GDPR Homework and Lower Your Chance of Fines
Advice that was helpful during your school days is also relevant when it comes to complying with the General Data Protection Regulation (GDPR): do your homework because it counts for...
frequently-asked-questions-(faq):-gdpr-and-hr/employee-data
Frequently Asked Questions (FAQ): GDPR and HR/Employee Data
As I wrote in another post, HR records are considered personal data and covered under the General Data Protection Regulation (GDPR). Since I keep on hearing from people who should...
data-security-and-privacy-lessons-from-recent-gdpr-fines
Data Security and Privacy Lessons From Recent GDPR Fines
We’re more than a year into the General Data Protection Regulation (GDPR) era, and we now have a few enforcement actions under our belts as data points. Earlier in 2019,...
five-things-you-need-to-know-about-the-proposed-eu-general-data-protection-regulation
Five Things You Need to Know About the Proposed EU General Data Protection Regulation
European regulators are serious about data protection reform. They’re inches away from finalizing the General Data Protection Regulation (GDPR), which is a rewrite of the existing rules of the road...