Criminal Enforcement Under HIPAA: Covered Entities, DOJ and You. Presented by John N. Joseph April 24, 2006 HCCA Compliance Institute

Transcription

1 Criminal Enforcement Under HIPAA: Covered Entities, DOJ and You Presented by John N. Joseph April 24, 2006 HCCA Compliance Institute

2 Wrongful Disclosure of Individually Identifiable Health Information A person violates 42 U.S.C. 1320d-6 (2005) if they knowingly (1) use or cause to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person

3 Wrongful Disclosure of Individually Identifiable Health Information Penalties (1) a fine of not more than $50,000, imprisonment of not more than 1 year, or both (2) If the offense is committed under false pretenses, a fine of not more than $100,000, imprisonment of 5 years, or both; and

4 Wrongful Disclosure of Individually Identifiable Health Information Penalties (Continued) (3) If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000, imprisonment of not more than 10 years, or both

5 What Does This Mean? 1. Who does this law apply to? Everyone!? 2. What is the required level of intent? Knowingly!?

6 United States v. Gibson, Crim. No (W.D.Wa.) Gibson Pled Guilty in Seattle to One Count of a Violation of HIPAA Gibson was a lab technician Stole cancer patient s personal identifiers Fraudulently obtained a credit card

7 United States v. Gibson, Crim. No (W.D.Wa) Gibson is guilty of violating HIPAA provision 42 U.S.C. 1320d-6(a)(1) Gibson was subject to imprisonment of up to 10 years and a fine of $250,000 under 42 U.S.C. 1320d-6(b)(3)

8 DOJ Office of Legal Counsel Memorandum, June 1, 2005 HHS General Counsel Alex M. Azar II requested an opinion from DOJ, just to be sure. HHS wanted to know: 1. Could other people, besides Covered Entities, violate 42 U.S.C. 1320d-6? 2. What does Knowingly mean?

9 What Does Knowingly Mean?

10 What Does Knowingly Mean? A Person need only knowingly use, disclose or obtain Personal Health Information A person does NOT need to know that such use violates HIPAA

11 Who Has Exposure Under 42 U.S.C. 1320d-6?

12 Who Has Exposure Under 42 U.S.C. 1320d-6? DOJ ruled that ONLY Covered Entities, as defined by 42 U.S.C. 1320d-1, can violate HIPAA non-disclosure provisions.

13 What Are Covered Entities?

14 What Are Covered Entities? Health Plans Health Clearinghouses Health Care Providers Discount Drug Card Sponsors

15 Who Is NOT exposed under 42 U.S.C. 1320d-6?

16 Who Is NOT exposed under 42 U.S.C. 1320d-6? Non-Provider Employees Office Staff Lab Worker Other employees Anyone Else Outside the Covered Entity Subcontractors Business Professionals

17 United States v. Gibson, Crim. No (W.D.Wa) Wrongly Convicted? Gibson is NOT a Covered Entity under HIPAA Cannot be charged under 42 U.S.C. 1320d-6(a)

18 What Privacy Advocates Thought of DOJ s Opinion:

19 How Can Personal Health Information ( PHI ) Be Protected? Azar Memorandum suggests 2 ways to protect PHI when person is not a Covered Entity 18 U.S.C. 2, Aiding and Abetting 18 U.S.C. 371, Conspiracy

20 How Can Personal Health Information ( PHI ) Be Protected? Government can still use the old reliable go to statutes: Mail Fraud, 18 U.S.C Wire Fraud, 18 U.S.C Bank Fraud, 18 U.S.C Identity Theft, 18 U.S.C. 1028

21 How Can Personal Health Information ( PHI ) Be Protected? These Statutes May Provide More Serious Deterrent For Fraudulent Use of PHI: Bank Fraud = 30 year maximum Mail Fraud = 20 year maximum Wire Fraud = 20 year maximum Identity Theft = 20 year maximum HIPAA Violation = 10 year maximum

22 HIPAA Is Still An Important Criminal Deterrent Corporate Covered Entities can be held responsible for the actions of its employees Employee acting within the scope of employment + Acting for the benefit of the corporation = Criminal exposure for Covered Entity

23 HIPAA Is Still An Important Criminal Deterrent Compliance Officers must be vigilant Cannot rely on Government being satisfied with prosecution of employee Review All PHI Handling Procedures Conduct Annual PHI Training Ensure Implementation Of Protective Measures

24 HIPAA Is Still An Important Criminal Deterrent Covered Entities should not face exposure for the actions of rogue employee, IF: Employee outside scope of employment Acted for personal benefit, and not for the Covered Entity

25 HIPAA Is Still An Important Criminal Deterrent Protection Of Key Employee Could Result In Criminal Exposure: Aiding and Abetting, 18 U.S.C. 2 Accessory After the Fact, 18 U.S.C. 3 Misprison of a Felony, 18 U.S.C. 4 HHS-OIG Self-Disclosure Regulation

26 HIPAA Is Still An Important Criminal Deterrent Compliance Officers and Managers beware of individual exposure In certain cases DOJ says that there may be individual liability Even if the individual had NO DIRECT INVOLVEMENT with the HIPAA offense

27 HIPAA Is Still An Important Criminal Deterrent May be the beginning of Sarbanes-Oxley type principles for Non-Profits and Privately Held Entities Reckless Disregard Deliberate Ignorance

28 HIPAA Is Still An Important Criminal Deterrent Redouble Efforts To Make Sure That: Policies and Procedures are Up to Date and Fully Implemented All Employees Are Effectively Trained On a Regular Basis All Inappropriate Disclosures are Investigated and Sanctioned