This month we look at a case involving a HIPAA privacy violation. This case is particularly important (and unusual) because it illustrates two points: 1) a person can get jail time for a HIPAA violation (even a misdemeanor violation), and 2) ignorance of the law does not protect you.
Dr. H was in his mid-40’s when he took a research position with a large, well-known health system in a major city. The research position was not what Dr. H wanted, but he had a family to support, and had to take whatever employment he could. In his native country of China, Dr. H had been a cardiothoracic surgeon, but since immigrating to the United States a few years ago, his job options had been limited. Although he felt that the research position was beneath him, he also felt he had no choice, at least until his English became more fluent and he obtained the requisite licensing to perform surgery again. His wife also worked, but they had three small children to support, and they were living in an expensive part of the country.
Dr. H’s frustration with the position was apparent to many of his colleagues, and his discomfort with speaking English meant that he tended to be a loner. His performance reviews were poor, and in less than a year he was given notice that he was going to be terminated from the job. His employer had an appeal process, and a grievance hearing regarding his termination was set. In the meantime, Dr. H began idling away his remaining days at the health system by looking at patient records for entertainment. The day he was notified of his termination, he accessed the first one – his immediate supervisor. Over the next few weeks, Dr. H browsed the medical records of many of his colleagues. He also viewed the records of the health-system’s many high-profile patients, including well-known movie stars, television personalities, and people in public office.
Dr. H never shared the information he saw in the records. He didn’t talk about it with his wife, or try to sell the information about the celebrity patients to the tabloids. He knew he shouldn’t be looking at records of patients who were not his, but believed that as long as he didn’t share the information he gained, it wasn’t a problem. Thus, he didn’t believe that he had committed a federal offense.
After losing his job, Dr. H was hit with another shock – he was charged by the government with violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which imposes a misdemeanor penalty on a person who knowingly and in violation of the act obtains individually identifiable health information relating to an individual.
Dr. H immediately hired a defense attorney, who told him that although there was information that Dr. H had illegally accessed patient records over 300 times, the government was only charging him with four counts, instances which had taken place after he was no longer working at the health system.
“But I didn’t do anything wrong,” said Dr. H. “I never sold the information or told anyone about it.”
“They aren’t charging you with selling the information,” said the attorney. “If they were, you would be facing a felony and a lot of jail time. They are charging you with simply accessing identifiable health information without a valid reason for doing so. You were not treating any of those patients. And in the last several instances, you weren’t even working for the health system anymore.”
“But I didn’t know that was a crime…” said Dr. H.
The attorney made a motion to dismiss the case, seeking to have the charges against Dr. H dropped. The court denied the motion. Then the defense attorney sought to have the court issue jury instructions telling the jury that elements of the case required that the defendant knew that obtaining the personal medical information was a violation of criminal laws. The court refused. Faced with what appeared to be a losing proposition, Dr. H entered a conditional plea of guilty, reserving his right to appeal his original motion to dismiss the case. Dr. H was sentenced to four months in prison, followed by a year of supervised release, and a $2,000 fine. Dr. H appealed the case.
On appeal, the Ninth Circuit held that the plain text of the statute does not limit its application to people who knew their actions were illegal. Rather, the court stated, “the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.” The key language, according to the court, was “knowingly and in violation of this part.” Dr. H wanted it to be interpreted as “knowingly, in violation of this part” – therefore presuming that knowledge that it was a violation was necessary for conviction. The court, however, disagreed, saying that if the statute did not contain the word “and,” Dr. H’s argument might be more persuasive. “However, we cannot ignore ‘and’ because its presence often dramatically alters the meaning of a phrase,” wrote the court in its decision. “Without ‘and,’ the Second Amendment would guarantee ‘the right of the people to keep bear arms,’ Leo Tolstoy would have published ‘War Peace,’ and James Taylor would have confusingly crooned about ‘Fire Rain.’”
The court went on to say that “HIPAA’s legislative history indicates that Congress intended broadly to apply this misdemeanor criminal penalty,” and that “our conclusion is supported by Congress’s decision not to require willfulness as an element of the crime.”
The court refused to dismiss the case, and Dr. H’s conviction stood.
Criminal penalties for HIPAA violations are rare, but not unheard of. Civil penalties (fines) are far more common. In this case, Dr. H’s employer faced civil HIPAA violations due to its employee’s actions. The health system ended up paying over $800,000 in civil fines related to this case.
This case stands for the proposition that ignorance of the law is no excuse.
Criminal penalties for HIPAA violations can be severe. In Dr. H’s case, he was facing a fine of up to $50,000 and a year in jail. If the offense were committed under false pretenses, a perpetrator could be fined up to $100,000 and imprisoned for up to 5 years. And finally, if the offense is committed with intent to sell, transfer, or use the health information for personal gain or to harm someone, a perpetrator may be fined up to $250,000 and imprisoned for up to ten years.
Protecting yourself is not difficult – avoid, at all costs, accessing medical records which you have no legitimate medical purpose to be viewing. Patient privacy is paramount – treat it that way.