• Recent Physician Cases Involving Criminal Enforcement of HIPAA
  • March 25, 2010 | Author: Susan E. Ziel
  • Law Firm: Krieg DeVault LLP - Carmel Office
  • The HITECH Act has clarified that HIPAA covered entities, in addition to individual employees, business associates and other actors who obtain or disclose PHI without authorization will be subject to potential criminal penalties.  Two recent criminal actions involving physicians which were brought by the U.S. Attorney in Arkansas and California merit attention.

    The first action involves a physician who pled guilty to a HIPAA violation based on his unauthorized access to the medical record of a local television news anchor who was murdered in Little Rock, Arkansas.  The physician admitted that after watching a television news report, he logged onto the local hospital's medical record system from his computer at home and accessed the the news anchor's medical records because he was curious.  Although the physician risked maximum criminal penalties of one (1) year imprisonment, a fine of not more than $50,000, or both, the U.S. Magistrate sentenced the physician to one year of probation, a $5,000 fine and 50 hours of community service educating professionals regarding HIPAA compliance.  The physician's clinical privileges at the local hospital were also suspended under the hospital's medical staff bylaws.  A second action involves a physician researcher who also pled guilty to a HIPAA violation based on his improper access to the medical records of certain high-profile celebrities in addition to those of his immediate supervisor and certain other co-workers.  The physician faces a  maximum of four (4) years imprisonment and will be sentenced later this month. 

    As evidenced by these recent cases, HIPAA criminal enforcement can reach not only criminal conduct but also other conduct where the actor knew or should have known that a particular access, use or disclosure of protected health information was in violation of HIPAA requirements.