Court Clarifies HIPAA's Criminal Rules: Can You Get Prison Time?

Court Clarifies HIPAA's Criminal Rules: Can You Get Prison Time?

brown and white short coated dog in cage

Can you go to prison for violating HIPAA even if you're not aware you're breaking the law? A U.S. appellate court says yes.

The decision is an important reminder that ignorance of the law won't protect you from criminal prosecution for violating HIPAA. It hammers home the point that those who access patient information without a valid reason could face jail time. It's a message that's worth sharing with everyone on your staff who potentially has access to protected health information.

The U.S. Court of Appeals for the Ninth Circuit on May 10 rejected a motion to dismiss criminal charges in a headline-grabbing case. You may recall that the case was portrayed by prosecutors as the first in the nation involving a prison sentence for a HIPAA privacy rule violation.

A former University of California at Los Angeles Healthcare System research assistant was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. The employee pleaded guilty to four misdemeanor counts of violating the HIPAA privacy rule. He admitted obtaining individually identifiable health information without a valid reason.

The case dates back to 2003 when the employee in the case received notice that he was being dismissed from his job. On the day he received the notice, he accessed and read his immediate supervisor's medical records and those of other co-workers, according to prosecutors. For three weeks, he continued illegally accessing patient records, including those of celebrities, according to prosecutors.

In his plea agreement, the employee admitted he read private electronic records on four occasions after he was formally terminated. At the time, prosecutors said there was no evidence that the employee improperly used or attempted to sell any of the information he illegally accessed.

Details of Appeal

The employee faced criminal misdemeanor charges related to HIPAA's prohibition of "knowingly" obtaining individually identifiable health information in violation of the law. He filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information, and, therefore, did not act "knowingly". But the court dismissed the motion, and the employee then submitted a conditional guilty plea, reserving the right to appeal the dismissal of his motion.

The employee filed an appeal, and the appellate court this month affirmed the denial of the motion to dismiss, finding that, with respect to the criminal HIPAA statute, "knowingly" applies only to the act of obtaining health information and that knowledge of the law is irrelevant.

This case has significant relevance to covered entities and business associates in that it sets a relatively low bar on what conduct may be deemed a criminal violation of HIPAA.

The case provides a valuable "teaching moment." Not only may an employee lose their job for inappropriately accessing patient information in violation of HIPAA. They also face the risk of criminal prosecution and jail time.

Your HCP compliance training is a vital activity to your organization. So when you conduct your annual HIPAA compliance training, make sure your staff is aware of the severe potential consequences of HIPAA violations that are stated in that training.