a**********2
发帖数: 3726 | 1 http://www.empr.com/features/hipaa-personal-patient-health-records-criminal-law/article/654196/
Just a reminder to the to-be-interns, do not check others patients' medical
records if you don't take care of the patient. | a**********2
发帖数: 3726 | 2 This month we look at a case involving a HIPAA privacy violation. This case
is particularly important (and unusual) because it illustrates two points: 1
) a person can get jail time for a HIPAA violation (even a misdemeanor
violation), and 2) ignorance of the law does not protect you.
Dr. H was in his mid-40's when he took a research position with a large,
well-known health system in a major city. The research position was not what
Dr. H wanted, but he had a family to support, and had to take whatever
employment he could. In his native country of China, Dr. H had been a
cardiothoracic surgeon, but since immigrating to the United States a few
years ago, his job options had been limited. Although he felt that the
research position was beneath him, he also felt he had no choice, at least
until his English became more fluent and he obtained the requisite licensing
to perform surgery again. His wife also worked, but they had three small
children to support, and they were living in an expensive part of the
country.
Dr. H's frustration with the position was apparent to many of his colleagues
, and his discomfort with speaking English meant that he tended to be a
loner. His performance reviews were poor, and in less than a year he was
given notice that he was going to be terminated from the job. His employer
had an appeal process, and a grievance hearing regarding his termination was
set. In the meantime, Dr. H began idling away his remaining days at the
health system by looking at patient records for entertainment. The day he
was notified of his termination, he accessed the first one – his immediate
supervisor. Over the next few weeks, Dr. H browsed the medical records of
many of his colleagues. He also viewed the records of the health-system's
many high-profile patients, including well-known movie stars, television
personalities, and people in public office.
Dr. H never shared the information he saw in the records. He didn't talk
about it with his wife, or try to sell the information about the celebrity
patients to the tabloids. He knew he shouldn't be looking at records of
patients who were not his, but believed that as long as he didn't share the
information he gained, it wasn't a problem. Thus, he didn't believe that he
had committed a federal offense. | a**********2
发帖数: 3726 | 3 After losing his job, Dr. H was hit with another shock – he was charged by
the government with violating the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), which imposes a misdemeanor penalty on a
person who knowingly and in violation of the act obtains individually
identifiable health information relating to an individual.
Dr. H immediately hired a defense attorney, who told him that although there
was information that Dr. H had illegally accessed patient records over 300
times, the government was only charging him with four counts, instances
which had taken place after he was no longer working at the health system.
“But I didn't do anything wrong,” said Dr. H. “I never sold the
information or told anyone about it.”
“They aren't charging you with selling the information,” said the attorney
. “If they were, you would be facing a felony and a lot of jail time. They
are charging you with simply accessing identifiable health information
without a valid reason for doing so. You were not treating any of those
patients. And in the last several instances, you weren't even working for
the health system anymore.”
“But I didn't know that was a crime…” said Dr. H.
The attorney made a motion to dismiss the case, seeking to have the charges
against Dr. H dropped. The court denied the motion. Then the defense
attorney sought to have the court issue jury instructions telling the jury
that elements of the case required that the defendant knew that obtaining
the personal medical information was a violation of criminal laws. The court
refused. Faced with what appeared to be a losing proposition, Dr. H entered
a conditional plea of guilty, reserving his right to appeal his original
motion to dismiss the case. Dr. H was sentenced to four months in prison,
followed by a year of supervised release, and a $2,000 fine. Dr. H appealed
the case. | a**********2
发帖数: 3726 | 4 Legal Background
On appeal, the Ninth Circuit held that the plain text of the statute does
not limit its application to people who knew their actions were illegal.
Rather, the court stated, “the misdemeanor applies to defendants who
knowingly obtained individually identifiable health information relating to
an individual, and obtained that information in violation of HIPAA.” The
key language, according to the court, was “knowingly and in violation of
this part.” Dr. H wanted it to be interpreted as “knowingly, in violation
of this part” – therefore presuming that knowledge that it was a
violation was necessary for conviction. The court, however, disagreed,
saying that if the statute did not contain the word “and,” Dr. H's
argument might be more persuasive. “However, we cannot ignore ‘and'
because its presence often dramatically alters the meaning of a phrase,”
wrote the court in its decision. “Without ‘and,' the Second Amendment
would guarantee ‘the right of the people to keep bear arms,' Leo Tolstoy
would have published ‘War Peace,' and James Taylor would have confusingly
crooned about ‘Fire Rain.'”
The court went on to say that “HIPAA's legislative history indicates that
Congress intended broadly to apply this misdemeanor criminal penalty,” and
that “our conclusion is supported by Congress's decision not to require
willfulness as an element of the crime.”
The court refused to dismiss the case, and Dr. H's conviction stood.
Protecting Yourself
Criminal penalties for HIPAA violations are rare, but not unheard of. Civil
penalties (fines) are far more common. In this case, Dr. H's employer faced
civil HIPAA violations due to its employee's actions. The health system
ended up paying over $800,000 in civil fines related to this case.
This case stands for the proposition that ignorance of the law is no excuse.
Criminal penalties for HIPAA violations can be severe. In Dr. H's case, he
was facing a fine of up to $50,000 and a year in jail. If the offense were
committed under false pretenses, a perpetrator could be fined up to $100,000
and imprisoned for up to 5 years. And finally, if the offense is committed
with intent to sell, transfer, or use the health information for personal
gain or to harm someone, a perpetrator may be fined up to $250,000 and
imprisoned for up to ten years.
Protecting yourself is not difficult – avoid, at all costs, accessing
medical records which you have no legitimate medical purpose to be viewing.
Patient privacy is paramount – treat it that way. |
|
