Jail Time for a HIPAA Violation?!?
By Melissa Borrelli
Utilizing the Powerful Real-World Consequences of Privacy Violations to Boost the Effectiveness of Compliance Training
With all of the attention paid to the increasingly steep civil liability penalties for HIPAA violations (in some cases reaching over $5 million1), one can’t forget about the threat of criminal penalties, including hefty personal monetary fines and jail time of up to ten (10) years.
Recent criminal HIPAA convictions include:
- An Alaskan hospital employee sentenced to two years in prison for providing a friend with the hospital records of two patients who were assault victims of the friend. The records included the identity of the victims and the severity of their injuries, what they told hospital staff about their injuries, and whether the records showed that they cooperated with law enforcement—information presumably to be used to intimidate the victims into not cooperating with the police.2
- A California researcher sentenced to four months in jail for accessing and reading medical records without a permissible reason, including those of his supervisor, co-workers, and several celebrities.3
- A Georgia man sentenced to over five years in prison for impersonating a physician, fraudulently “treating” over 1,110 patients, and wrongfully disclosing their health information.4
- An 18-month sentence for a Texas hospital employee who improperly obtained PHI with the intent to use it for personal gain.5
Most recently, a Massachusetts gynecologist was convicted of criminal violation of HIPAA for allowing pharmaceutical company sales representatives to access the PHI of her patients by providing them carte blanche access to their medical files.6 Her sentencing is forthcoming and is expected to include jail time. In connection with this case is the conviction of several of the pharmaceutical company employees that accessed that information. Their sentencing is expected to occur this summer.
Note that most of these instances involved “insiders” or “credentialed” threats—employees with trusted access to internal systems and records containing PHI and other confidential and sensitive information. A recent Ponemon Institute study concluded that the insider threat to privacy and security is formidable, and that the root cause of most security incidents was the negligence or criminal intent of an insider.7
To be sure, criminal prosecutions and jail time for HIPAA violations are infrequent; however, the threat of the loss of liberty can serve as a powerful motivation in your compliance, privacy, and security training.
Arguably, the most under-rated and overlooked of the Office of the Inspector General’s (“OIG”) Seven Elements of an Effective Compliance Program (“Seven Elements”) is that of training. Due to the demands of the profession, most compliance personnel create an initial “check the box” training and then regurgitate it year after year. This ensures your audience will become immune to its teachings—how many times have you absent-mindedly clicked through a training you’ve taken several years in a row—and results in ineffectual, stale, unproductive education and a missed learning opportunity.
A focus on training, however, is exceedingly important, as prevention of incidents in the first place is the best opportunity to avert devastating insider threats before serious, and sometimes irrevocable, damages are inflicted.
Instead of perpetuating the cycle of futile training, take advantage of existing annual review processes, e.g., the annual review of policies and procedures, and review your training once a year.
Reviewing your training at least once each year helps ensure that the content remains relevant, can include updated examples (there is little more influential in lesson learning than actual, tangible examples of the consequences of bad decisions), and is customized to the duties, responsibilities, and processes of your workplace (which frequently change due to new software and equipment deployment and shifting programs and business needs). In fact, the OIG recommends training that is generalized as well as specialized to the personnel, functions, and risks of a particular organization.
Timely, real world examples, such as those above, can also serve as cautionary tales in compliance newsletters and other publications between trainings.
As a compliance professional, one of the most important lessons to be taken from these HIPAA criminal cases is their power as an educational and training tool. Capitalize on these occurrences to better your compliance, privacy, and security training and other communication efforts. Utilize existing annual review procedures to annually review and revise your training to ensure it is up-to-date and relevant to the changes in the organization.
If you need assistance reviewing your policies, procedures, or training, please do not hesitate to contact the Health Care Consultants at Mazars USA LLP or visit mazarsusa.com/hc for assistance.