DOJ ruling on HIPAA increases risk to employer
DOJ ruling on HIPAA increases risk to employer
A new ruling by the Department of Justice (DOJ) sharply limits the government’s ability to prosecute people for criminal violations of the Health Insurance Portability and Accountability Act (HIPAA), but that may lead prosecutors to hold your organization responsible for those violations instead.
That’s the warning from attorneys who say risk managers must make sure their compliance programs effectively deter individuals from violating HIPAA, because if they do, the employer might be the one punished.
In the June 1 ruling, the DOJ said the criminal penalties apply to insurers, doctors, hospitals, and other providers, but not necessarily their employees or outsiders who steal personal health data.
People who work for an entity covered by the federal privacy law are not covered automatically by that law and may not be subject to its criminal penalties, which include a $250,000 fine and 10 years in prison for the most serious violations.
The DOJ’s reasoning was the regulations only apply to covered entities, including insurers and health care providers. That means only covered entities can be prosecuted for criminal violations of the law.
Not necessarily good news
While the ruling may at first seem like good news for those working in health care, risk managers should not be lulled into a false sense of security regarding the HIPAA risk, says
Mark
E. Nagle, JD, a partner in the Washington, DC, office of Sheppard, Mullin, Richter & Hampton LLP. Prior to joining the firm, Nagle served as chief of the Civil Division in the United States Attorney’s Office for the District of Columbia. The ruling actually is bad news for health care organizations, he says.
"The most important message for the risk manager to draw from this is the need to continue and keep current active, dynamic compliance programs throughout your institutions," Nagle explains.
"This ruling doesn’t really reduce the exposure of institutions from HIPAA violations. It simply changes the likely constitution of a criminal case the government might choose to bring, by restricting the circumstances in which an individual could be a named defendant."
Prosecutors may turn to employer instead
In other words, the ruling removes the individual from the picture, which means that instead of dropping the case altogether, prosecutors might be more likely to hold organizations responsible for the violations instead.
That means a good compliance program is more important now than ever before, he says. With a good compliance program in place, the institution is better prepared to argue that an individual’s actions in violation of HIPAA are well outside the scope of employment, he says.
"By making clear that the institution will not tolerate violations of HIPAA by individuals, you are giving yourselves and potentially your lawyers a much stronger foundation to tell the government that this behavior was aberrational and the employee did not abide by your rigorous compliance program, and consequently the government should not impute that wrongful conduct to you, the employer," Nagle adds.
Another attorney experienced with HIPAA violations says the DOJ ruling should prompt risk managers to revamp efforts to prevent violations by individuals. Laurence Freedman, JD, a partner with Patton Boggs in Washington, DC, says the ruling increases the risk for organizations as it lowers the risk for individuals.
"You might want to develop new internal tools to deter individuals from violating your policy," he notes.
"The very clear message is that individuals acting outside the scope of corporate policy will not face criminal HIPAA remedies, and you have consider whether that might lead them to take compliance less seriously. The person who might have thought twice about some conduct might more quickly undertake it now, even in violation of company policy," Freedman adds.
Only one criminal conviction so far
Nagle notes that the DOJ opinion suggests some odd possibilities.
For instance, if a hospital sells a list of patient names to a marketing firm, the hospital could be held criminally liable under HIPAA. But if a hospital clerk did exactly the same thing, the clerk could not be prosecuted under HIPAA because the clerk is not a covered entity.
"What you want to avoid is having the government say that your policies were lax and allowed that transgression or you did not sufficiently educate the employee about HIPAA. That’s when they’ll turn to you and charge the organization instead of the individual," he explains.
"When an employee clearly violates the law, you want to be able to show as conclusively as possible that he did it despite all your extensive efforts as an organization to prevent that crime," Nagle adds.
The DOJ reports that the government has received more than 13,000 complaints of HIPAA violations in two years.
While the government has not imposed any civil fines, it has obtained a criminal conviction of a Seattle man who pleaded guilty in August 2004 to wrongful disclosure of personal health information.
Richard W. Gibson admitted he had improperly obtained a patient’s name, birth date, and Social Security number while working for a consortium of cancer hospitals and used that information to obtain four credit cards in the patient’s name.
Gibson was sentenced to 16 months in prison.
Interestingly, the recent DOJ ruling appears to contradict the legal theory under which Gibson was convicted. Nagle explains, however, that the DOJ ruling is binding only on DOJ prosecutors, not the courts.
A new ruling by the Department of Justice (DOJ) sharply limits the governments ability to prosecute people for criminal violations of the Health Insurance Portability and Accountability Act (HIPAA), but that may lead prosecutors to hold your organization responsible for those violations instead.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.