Unbeknownst to many health care practitioners, the Health Insurance Portability and Accountability Act (HIPAA) has quickly become an emerging source of criminal liability. Originally created to safeguard the privacy of the American patients, the number of prosecutions for HIPAA violations keeps growing day after day, possibly because of the relative simplicity for federal prosecutors to prove a much more complex kickback scheme.
But what is HIPAA? HIPAA stands for “Health Insurance Portability and Accountability Act,” a law that establishes the rules that must be followed when patients’ medical information is transferred or exchanged between providers. It is enforced to protect people’s privacy, reduce fraud and abuse in the health care system, and help U.S. workers transfer all information needed for health insurance purposes. That’s why so many companies now rely on modern HIPAA-compliant software to exchange Electronic Protected Health Information (ePHI) and make sure that it remains secure and confidential at all times.
Every time a provider violates this fundamental privacy law by improperly managing individually identifiable health information (such as by disclosing it to a third party), a court may sentence it to a serious punishment in the form of a fine, prison time, or both. It is not uncommon for fines to reach up to $50,000, and even more than $200,000 in some instances. For example, in 2014 a Texas hospital employee was sentenced to 18 months in prison after he pleaded guilty to intentionally using personal health information for personal gain. In September 2017, the sales force of Aegerion Pharmaceuticals allegedly repeatedly violated HIPAA. Eventually, the company had to pay over $35 million to resolve all criminal liabilities.
Proving criminal liability when HIPAA is violated is much simpler than proving other, more serious forms of fraud. In particular, many individuals and organizations risk criminal prosecution even when they’re not aware that a crime is occurring. Ignorance of the law, in fact, does not limit liability. All providers must maintain all patient privacy policies in writing, properly advise patients of their rights, and only disclose or transfer private information when a patient provided written authorization to release it.
