Criminal HIPAA case targets employee, not clinic, for breach

Still, legal experts warn of state civil liabilities for physician practices in such situations.

By — Posted July 14, 2008

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The latest HIPAA criminal case may signal more aggressive efforts by the government to root out privacy breaches, while highlighting some legal risks for doctors and other "covered entities" for violations made by their employees, experts said.

A former Northeast Arkansas Clinic employee recently entered a guilty plea with the U.S. Attorney for the Eastern District of Arkansas for allegedly wrongfully disclosing a patient's protected health information and using it for personal gain and malicious intent.

Andrea Smith, a clinic nurse, accessed the unnamed patient's medical file and shared the contents with her husband. He later told the patient he planned to use the private information in an upcoming legal proceeding, according to the indictment.

The Arkansas case is believed by legal observers to be only the fourth criminal case brought under the Health Insurance Portability and Accountability Act since its medical records privacy rules went into effect in 2003.

U.S. Attorney Jane W. Duke said in a statement that HIPAA criminal prosecution is a "fairly new concept." At the same time, however, she issued a warning that the federal government intends to pursue "vigorous enforcement" of the privacy protections.

"What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated," Duke stated following Smith's April plea agreement.

Compared with past cases -- which involved additional charges for fraud and identity theft -- the Arkansas incident "was a straight HIPAA conviction," noted Cynthia M. Stamer, a HIPAA privacy lawyer with Glast, Phillips & Murray in Dallas. It was brought solely for an unlawful privacy disclosure.

Smith's attorney could not be reached for comment. Smith faces up to 10 years in prison, $250,000 in fines or both. Charges against her husband were dropped following the plea agreement.

Legal experts said it is significant that Northeast Arkansas Clinic -- which terminated Smith when it found out about the breach -- was not charged in connection with the case.

Dept. of Justice guidelines issued in 2005 indicated that covered entities, such as physicians, hospitals and health insurers, would be the ones to face criminal penalties for unauthorized disclosures, but not necessarily individuals, such as employees.

"It's now clear that there is a willingness [by the government] to prosecute when individuals are using [protected health information] for personal benefit, whether financial or otherwise," Stamer said.

Protecting yourself

Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP, said health care entities are unlikely to face criminal sanctions if they have adequate protections in force or are unaware of an unlawful disclosure by an employee.

"If the clinic were on notice or didn't do anything [about the breach], that would potentially cross the line," he said.

Northeast Arkansas Clinic CEO Jim Boswell said the facility has "stringent policies in place to deal with HIPAA violations."

After receiving a complaint from the patient involved, the clinic conducted an internal investigation and immediately terminated Smith, he said. The clinic staff also worked with federal authorities in their probe.

"We will continue to educate and reinforce to our employees the importance of maintaining patient confidentiality," Boswell said.

Even if spared from criminal prosecution, without careful privacy controls, doctors or other covered entities could incur federal civil penalties for being negligent, Lebowitz added. However, the Dept. of Health and Human Services has yet to impose any civil fines.

Legal observers warn that physician offices dealing with a privacy breach by an employee also are exposed to state civil liability claims brought by patients.

Most states enacted privacy laws based on the federal privacy statute, Stamer added.

Lebowitz said plaintiffs are finding "increasingly creative methods" to use HIPAA as a standard for establishing various types of state-based claims.

A November 2006 ruling by the 5th U.S. Circuit Court of Appeals was the first decision to affirm that patients cannot sue directly under HIPAA in federal court, only the U.S. government can do so. But judges suggested that patients could continue to bring privacy claims in state court.

Legal experts point to a North Carolina case as one of the first tests.

A state appeals court there in December 2006 green-lighted a lawsuit in which a clinic patient sued the clinic owner for negligence for allegedly breaching the medical privacy provisions under HIPAA. The clinic owner, a physician, allegedly gave his medical records password to an office manager, who later disclosed the patient's confidential information to a third party. The case ultimately was settled.

In addition to implementing sufficient privacy and security policies with legal assistance, doctors' best defense is ensuring those procedures are enforced, experts said.

"Without repercussions it looks like you don't care and are condoning breaches that occur," Lebowitz said.

Back to top


Protecting privacy

The Dept. of Health & Human Services Office for Civil Rights is charged with enforcing the HIPAA privacy rule. Here's a look at how complaints may be handled.

Step 1: OCR reviews complaint.

Step 2: OCR determines a possible criminal violation -- go to Step 5.

Step 3: OCR determines a possible civil privacy rule violation -- go to Step 8.

Step 4: OCR determines a possible security rule violation -- go to Step 10.

Step 5: OCR refers possible criminal violations to the Dept. of Justice. The Justice Dept. can either accept the case for investigation (Step 6) or send the case back to the OCR (Step 7).

Step 8: OCR investigates the suspected privacy violation. It can either find no violation, get voluntary compliance or other settlement, or issue a formal action such as Civil Monetary Penalties (Step 9).

Step 10: OCR refers the case to the Centers for Medicare & Medicaid Services, which can coordinate its investigation with the OCR.

Source: Dept. of Health & Human Services, Office for Civil Rights

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story