December 1, 2006

When a staffer violates HIPAA privacy rules...

...will the employers—physicians, hospitals or other covered entities—also be held accountable and subject to prosecution? That's what a 2005 Department of Justice memo seemed to imply. However, as the department begins to prosecute its third criminal case involving privacy violations, legal experts believe that as long as covered entities play by the rules, they may be spared from prosecution.

In each of the three cases, the privacy breaches involved employees. In 2004, a phlebotomist was charged with stealing the personal information of a cancer patient at Seattle Cancer Care Alliance and incurring $9,000 in charges to a credit card he obtained using the patient's identity. In 2005, an employee of a Texas doctor's office was convicted of stealing the confidential medical information of an FBI agent and trying to sell it to someone who she believed was a drug trafficker. In 2006, an employee of the Cleveland Clinic is accused of obtaining confidential medical information for 1,100 patients and selling it.

In each case, covered entities were spared prosecution. In the most recent case, the Cleveland Clinic worked with local and federal authorities to provide them with any information they had about the privacy violation. They also notified affected patients and set up a toll-free number to report financial losses caused by the breach. It is also revisiting its privacy policy.

Such steps may be the way to avoid penalties. Healthcare attorney and HIPAA compliance specialist, Jacqueline Darrah, told American Medical News (10/16/2006) that government officials are "clearly sending the industry a message that if you are doing the right things, they are going to go after the bad actors and do what they can to work with your systems."