Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
A visiting cardiothoracic surgeon from China, working as a researcher at UCLA School of Medicine, became the first person sentenced to prison for unauthorized access to medical records in violation of HIPAA. The few criminal convictions for HIPAA violations to date have involved monetary gain, such as a hospice worker’s use of patient records to commit identity theft or the sale of a celebrity’s medical records to a tabloid. This most recent conviction is remarkable because money was not a factor and the viewing of celebrity records was only part of the illegal conduct. According to court records, the criminal prosecution also was based on the researcher’s review of his immediate supervisor’s and former co-workers’ medical records.
Random curiosity — a/k/a snooping — poses a risk of criminal HIPAA violations not only at hospitals and health care providers. Virtually every employer has some form of medical information subject to HIPAA in their paper files or on their information systems because HIPAA applies to self-insured group health, dental, vision, pharmacy benefit, and long-term care plans; health care reimbursement flexible spending accounts; and employee assistance programs. Consequently, an employee who reviews a co-worker’s explanation of benefits while waiting for a benefits administrator to finish a call or a human resources manager who accesses a third-party administrator’s portal to review claims information unrelated to any job duties arguably is now at risk of criminal prosecution.
While the employee may bear the brunt of the criminal prosecution, the employee’s unauthorized conduct exposes the employer on at least three different levels. First, the U.S. Department of Health & Human Services (HHS) could pursue civil penalties against the employer. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act supplemented HIPAA, effective February 17, 2010, civil penalties for HIPAA violations have been substantially enhanced. While HHS has yet to promulgate regulations construing the statutory penalty provisions, the minimum penalty for an employee’s unauthorized access to patient plan participant records apparently would be $1,000 per record reviewed if the employer had implemented measures to prevent the unauthorized access and $10,000 per record reviewed where the employer had failed to implement adequate protections. Second, although the federal courts unanimously agree that HIPAA provides no private right of action, the patient or plan participant whose records were viewed without authorization could assert common law, privacy-based claims, alleging vicarious liability on the employer’s part for the employee’s unauthorized access. Finally, the unauthorized access likely would constitute a security breach under HIPAA’s new security breach notification requirements. Were the snooping employee to access the records of 500 or more patients or plan participants, the employer would be required to notify not only the voyeur’s victims but also HHS and prominent media outlets in the state where the victims are located.
The jailing of the Chinese researcher highlights the fact that providers and employers no longer can be complacent about HIPAA compliance. Both health care providers and employers offering HIPAA-covered health benefits should revisit and, if necessary, update the policies they adopted when HIPAA first went into effect more than six years ago. Compliance efforts should focus, in particular, on preventing the types of conduct most likely to trigger security breach notification obligations, such as unauthorized access to and disclosures of health information and the loss or theft of equipment containing health information in unencrypted form. While technologies such as encryption and data loss prevention software can go a long way towards to reducing risk, providers should consider robust and frequent training programs that convey the message there is no such thing as “a littler harmless snooping” when it comes to patients’ and plan participants’ medical records.
This entry was written by Philip L. Gordon.