Criminal HIPAA case targets employee, not clinic, for breach

The latest HIPAA criminal case may signal more aggressive efforts by the government to root out privacy breaches, while highlighting some legal risks for doctors and other "covered entities" for violations made by their employees, experts said.

A former Northeast Arkansas Clinic employee recently entered a guilty plea with the U.S. Attorney for the Eastern District of Arkansas for allegedly wrongfully disclosing a patient's protected health information and using it for personal gain and malicious intent.

Andrea Smith, a clinic nurse, accessed the unnamed patient's medical file and shared the contents with her husband. He later told the patient he planned to use the private information in an upcoming legal proceeding, according to the indictment.

The Arkansas case is believed by legal observers to be only the fourth criminal case brought under the Health Insurance Portability and Accountability Act since its medical records privacy rules went into effect in 2003.

U.S. Attorney Jane W. Duke said in a statement that HIPAA criminal prosecution is a "fairly new concept." At the same time, however, she issued a warning that the federal government intends to pursue "vigorous enforcement" of the privacy protections.

"What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated," Duke stated following Smith's April plea agreement.

Compared with past cases -- which involved additional charges for fraud and identity theft -- the Arkansas incident "was a straight HIPAA conviction," noted Cynthia M. Stamer, a HIPAA privacy lawyer with Glast, Phillips & Murray in Dallas. It was brought solely for an unlawful privacy disclosure.

Smith's attorney could not be reached for comment. Smith faces up to 10 years in prison, $250,000 in fines or both. Charges against her husband were dropped following the plea agreement.

Legal experts said it is significant that Northeast Arkansas Clinic -- which terminated Smith when it found out about the breach -- was not charged in connection with the case.

Dept. of Justice guidelines issued in 2005 indicated that covered entities, such as physicians, hospitals and health insurers, would be the ones to face criminal penalties for unauthorized disclosures, but not necessarily individuals, such as employees.

"It's now clear that there is a willingness [by the government] to prosecute when individuals are using [protected health information] for personal benefit, whether financial or otherwise," Stamer said.

Protecting yourself

Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based Duane Morris LLP, said health care entities are unlikely to face criminal sanctions if they have adequate protections in force or are unaware of an unlawful disclosure by an employee.

"If the clinic were on notice or didn't do anything [about the breach], that would potentially cross the line," he said.

Northeast Arkansas Clinic CEO Jim Boswell said the facility has "stringent policies in place to deal with HIPAA violations."

After receiving a complaint from the patient involved, the clinic conducted an internal investigation and immediately terminated Smith, he said. The clinic staff also worked with federal authorities in their probe.

"We will continue to educate and reinforce to our employees the importance of maintaining patient confidentiality," Boswell said.

Even if spared from criminal prosecution, without careful privacy controls, doctors or other covered entities could incur federal civil penalties for being negligent, Lebowitz added. However, the Dept. of Health and Human Services has yet to impose any civil fines.

Legal observers warn that physician offices dealing with a privacy breach by an employee also are exposed to state civil liability claims brought by patients.

Most states enacted privacy laws based on the federal privacy statute, Stamer added.

Lebowitz said plaintiffs are finding "increasingly creative methods" to use HIPAA as a standard for establishing various types of state-based claims.

A November 2006 ruling by the 5th U.S. Circuit Court of Appeals was the first decision to affirm that patients cannot sue directly under HIPAA in federal court, only the U.S. government can do so. But judges suggested that patients could continue to bring privacy claims in state court.

Legal experts point to a North Carolina case as one of the first tests.

A state appeals court there in December 2006 green-lighted a lawsuit in which a clinic patient sued the clinic owner for negligence for allegedly breaching the medical privacy provisions under HIPAA. The clinic owner, a physician, allegedly gave his medical records password to an office manager, who later disclosed the patient's confidential information to a third party. The case ultimately was settled.

In addition to implementing sufficient privacy and security policies with legal assistance, doctors' best defense is ensuring those procedures are enforced, experts said.

"Without repercussions it looks like you don't care and are condoning breaches that occur," Lebowitz said.