[Med-privacy] HIPAA case

[peter marshall]

Criminal HIPAA case targets employee, not clinic, for breach
Still, legal experts warn of state civil liabilities for physician 
practices in such situations.

By Amy Lynn Sorrel, AMNews staff. July 14, 2008.

The latest HIPAA criminal case may signal more aggressive efforts by 
the government to root out privacy breaches, while highlighting some 
legal risks for doctors and other "covered entities" for violations 
made by their employees, experts said.

A former Northeast Arkansas Clinic employee recently entered a guilty 
plea with the U.S. Attorney for the Eastern District of Arkansas for 
allegedly wrongfully disclosing a patient's protected health 
information and using it for personal gain and malicious intent.

Andrea Smith, a clinic nurse, accessed the unnamed patient's medical 
file and shared the contents with her husband. He later told the 
patient he planned to use the private information in an upcoming legal 
proceeding, according to the indictment.

The Arkansas case is believed by legal observers to be only the fourth 
criminal case brought under the Health Insurance Portability and 
Accountability Act since its medical records privacy rules went into 
effect in 2003.

U.S. Attorney Jane W. Duke said in a statement that HIPAA criminal 
prosecution is a "fairly new concept." At the same time, however, she 
issued a warning that the federal government intends to pursue 
"vigorous enforcement" of the privacy protections.

"What every HIPAA-covered entity needs to realize and reinforce to its 
employees is that the privacy provisions of HIPAA are serious and have 
significant consequences if they are violated," Duke stated following 
Smith's April plea agreement.

Compared with past cases -- which involved additional charges for fraud 
and identity theft -- the Arkansas incident "was a straight HIPAA 
conviction," noted Cynthia M. Stamer, a HIPAA privacy lawyer with 
Glast, Phillips & Murray in Dallas. It was brought solely for an 
unlawful privacy disclosure.

Smith's attorney could not be reached for comment. Smith faces up to 10 
years in prison, $250,000 in fines or both. Charges against her husband 
were dropped following the plea agreement.

Legal experts said it is significant that Northeast Arkansas Clinic -- 
which terminated Smith when it found out about the breach -- was not 
charged in connection with the case.

Dept. of Justice guidelines issued in 2005 indicated that covered 
entities, such as physicians, hospitals and health insurers, would be 
the ones to face criminal penalties for unauthorized disclosures, but 
not necessarily individuals, such as employees.

"It's now clear that there is a willingness [by the government] to 
prosecute when individuals are using [protected health information] for 
personal benefit, whether financial or otherwise," Stamer said.

Protecting yourself

Philip H. Lebowitz, a HIPAA lawyer and partner with Philadelphia-based 
Duane Morris LLP, said health care entities are unlikely to face 
criminal sanctions if they have adequate protections in force or are 
unaware of an unlawful disclosure by an employee.

"If the clinic were on notice or didn't do anything [about the breach], 
that would potentially cross the line," he said.

Northeast Arkansas Clinic CEO Jim Boswell said the facility has 
"stringent policies in place to deal with HIPAA violations."

After receiving a complaint from the patient involved, the clinic 
conducted an internal investigation and immediately terminated Smith, 
he said. The clinic staff also worked with federal authorities in their 
probe.

"We will continue to educate and reinforce to our employees the 
importance of maintaining patient confidentiality," Boswell said.

Even if spared from criminal prosecution, without careful privacy 
controls, doctors or other covered entities could incur federal civil 
penalties for being negligent, Lebowitz added. However, the Dept. of 
Health and Human Services has yet to impose any civil fines.

Legal observers warn that physician offices dealing with a privacy 
breach by an employee also are exposed to state civil liability claims 
brought by patients.

Most states enacted privacy laws based on the federal privacy statute, 
Stamer added.

Lebowitz said plaintiffs are finding "increasingly creative methods" to 
use HIPAA as a standard for establishing various types of state-based 
claims.

A November 2006 ruling by the 5th U.S. Circuit Court of Appeals was the 
first decision to affirm that patients cannot sue directly under HIPAA 
in federal court, only the U.S. government can do so. But judges 
suggested that patients could continue to bring privacy claims in state 
court.

Legal experts point to a North Carolina case as one of the first tests.

A state appeals court there in December 2006 green-lighted a lawsuit in 
which a clinic patient sued the clinic owner for negligence for 
allegedly breaching the medical privacy provisions under HIPAA. The 
clinic owner, a physician, allegedly gave his medical records password 
to an office manager, who later disclosed the patient's confidential 
information to a third party. The case ultimately was settled.

In addition to implementing sufficient privacy and security policies 
with legal assistance, doctors' best defense is ensuring those 
procedures are enforced, experts said.

"Without repercussions it looks like you don't care and are condoning 
breaches that occur," Lebowitz said.