3rd HIPAA criminal case hints at federal tactics

When HIPAA privacy rules went into effect in 2003, doctors, hospitals and other "covered entities" wondered if the government would go after them for violations made by their employees. A Justice Dept. memo issued June 2005 seemed to make it clear that would be the case.

But as the department began prosecuting the third criminal case involving privacy breaches, its tactics indicate the government isn't sticking completely with that stance, some legal experts say.

In September, the Justice Dept. indicted a former Cleveland Clinic employee for conspiracy to commit health care fraud. Isis Machado worked as a front desk office coordinator at the Cleveland Clinic in Weston, Fla., where the government alleges she "exceeded her authorized access" to the hospital's computers to download the protected health information of more than 1,100 patients. The information included patients' names, birth dates, Social Security numbers, Medicare identification numbers and addresses.

Machado allegedly stole the private information and sold it to her cousin, Fernando Ferrer Jr., her alleged co-conspirator, according to the U.S. Attorney's Office for the Southern District of Florida in Miami. Ferrer owns a medical claims company, Advanced Medical Claims Inc., in Naples, Fla., and allegedly submitted about $2.8 million in false claims to Medicare, according to the indictment.

Legal experts say it is significant, especially in light of the Justice Dept. memo, that the Cleveland Clinic has not been charged in connection with the privacy breach.

The memo clarified that HIPAA criminal penalties for unauthorized disclosure apply directly to covered entities, such as physicians, hospitals and health insurers, but not to their employees. The opinion said that individuals who violate the rule could face other penalties for identity theft or for aiding and abetting, but "that would require that the entity itself be indicted," said health care lawyer and HIPAA expert Barbara Bennett, a partner at the Washington, D.C.-based firm Hogan & Hartson.

However, the Florida case and the others before it may show that federal authorities are taking a different tack.

Government officials are "clearly sending the industry a message that if you are doing the right things, they are going to go after the bad actors and do what they can to work with your systems," said Jacqueline M. Darrah, a health care lawyer and HIPAA compliance specialist for Halleland Lewis Nilan & Johnson PA, in Minneapolis.

Attorneys for Machado and Ferrer could not be reached for comment. If convicted, the individuals face up to 25 years in prison and $500,000 in fines for HIPAA and other violations.

Cleveland Clinic spokeswoman Eileen Sheil said the privacy breach at the Florida hospital was an "isolated incident." Another employee identified the problem and reported it to local hospital administration June 26.

"We took action on it immediately and worked very closely with local and federal authorities to make sure we did everything to cooperate and provide any and all information," Sheil said. The hospital had no relationship with Advanced Medical Claims, she added.

The clinic set up a toll-free telephone number and sent letters notifying potentially affected patients. So far no patients have reported any financial losses as a result of the breach, she said.

Currently, the clinic is revisiting its privacy policies. "We are training employees and being clear on our expectations about how this information is to be handled with the utmost confidentiality," Sheil said.

A trend emerging?

In the two criminal cases preceding the Florida prosecution, the government also did not pursue the entity that employed the person in question. The first case, in 2004, involved phlebotomist Richard W. Gibson. He was charged with stealing the personal information of a cancer patient at Seattle Cancer Care Alliance, and incurring $9,000 in charges on a credit card he got using the patient's identity.

In the second case in 2005, Liz Arlene Ramirez was convicted of selling the confidential medical information of an FBI agent to someone she believed was working for a drug trafficker. Ramirez worked for a doctor's office in Texas that was contracted to provide physical exams to FBI agents.

Because both cases ended in guilty pleas, "we still don't know how a court would rule on this issue," said HIPAA expert Bennett.

The U.S. Attorney in Miami declined to comment on why the Cleveland Clinic was not named in the indictment. But spokeswoman Alicia Valle said the allegations charge that Machado was "acting outside the lawful scope of her employment" when she violated the privacy statute.

The government, in a statement, commended the Cleveland Clinic for quickly reporting the incident to law enforcement and for cooperating in the investigation. This is a clue that prosecutors may not have had evidence the hospital itself did anything wrong, or even knew about it, Darrah said.

The Cleveland Clinic likely "has a really good HIPAA compliance plan and really good policies and detection systems for when something went wrong." These are key components to minimizing liability risk, Darrah said.

Given that the Dept. of Health and Human Services has yet to impose any civil fines against health care entities for HIPAA privacy violations, legal experts say they are unlikely to ensue in this case because Machado did not appear to be acting on the Cleveland Clinic's behalf.

"There are some good-faith defenses if it is established that [an entity] didn't know what an employee was doing, or wasn't negligent in failing to correct" any problems, Bennett said.

She agrees that doctors and clinics need to be vigilant in their training and supervision of employees who have access to protected health information and should immediately report any suspicious activities.

Getting compliance programs up and running "may cost something up front, but it is certainly more cost effective than a violation," Bennett said.