Federal Prosecutors Pursue Criminal Charges Against Hospital Worker for HIPAA Violations

Under the Health Insurance Portability and Accountability Act of 1996, individuals and covered entities can face criminal charges for violations of HIPAA Privacy and Security Rules, and federal prosecutors have now taken this somewhat uncommon step following a case of wrongful disclosure of PHI.

Texan prosecutors filed an indictment in the Tyler District Court against Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas. The case was filed earlier this year but it was sealed until July 3.

Hippler faces one count of violations of HIPAA Rules after he stole medical records from the hospital where he worked. According to a statement provided to Security Media Group, and reported on databreachtoday.com, a spokesperson for the Department of Justice said “We cannot comment on how many patient records, his job, employer or the nature of the violation in detail as this is an ongoing investigation,” she says. “The violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records. Although criminal HIPAA charges are uncommon, our decision to charge Hippler is not based on any DOJ directive or crackdown.”

The case has been scheduled to commence on Sept 3, 2014, and if found guilty, Hippler could potentially be issued with a fine of $250,000 and could face up to 10 years in prison.

Even though criminal charges can be filed, to date there have been few cases that have been heard by the courts. Court cases are usually reserved for cases of medical or identity fraud, and in this instance, while there may have been intent to sell the information does not appear to have been disclosed to other individuals.

The majority of cases of improper disclosure of medical information involve no malicious intent and many involve accidental disclosure of PHI. Many of these cases also involve multiple members of staff and arise out of a lack of training on HIPAA Privacy and Security Rules, with the institution itself to blame in the majority of cases for failing to provide training as required under the Security Rule Administrative safeguards.

However, the value of healthcare data coupled with lax security standards in many hospitals is proving tempting for many employees and each year there are numerous cases of improper accessing of medical records by hospital employees.

While a criminal case such as this cannot undo a data breach, it does bring the matter to the attention of the media and sends a message to healthcare workers that the theft of PHI will not be tolerated. Action can, and is taken against individuals that violate the privacy of patients by accessing or stealing their healthcare information and personal identifiers, and the penalties for these actions can be severe.

This incident should also serve as a warning to healthcare organizations that they must take patient privacy seriously and implement policies and procedures to protect the data they hold on patients. Not only can criminal charges be filed against workers for snooping on patient data, the organizations that these individuals work for could also face stiff financial penalties if it is discovered that they have not provided training on HIPAA Privacy and Security Rules or have not instructed the staff of the consequences of violating HIPAA Rules.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.