Recent criminal enforcement actions make it clear that the Federal government is serious about enforcing patients’ privacy rights under the Health Insurance Portability and Accountability Act (“HIPAA”).  In particular, these recent actions show that even a seemingly innocent peek at medical records can be a HIPAA violation.

The United States Department of Justice recently announced that a doctor and two hospital employees in the Little Rock, Arkansas area were subjected to criminal prosecution for HIPAA violations when they accessed a patient’s medical record for no legitimate purpose. On July 20, 2009, each pled guilty to a misdemeanor violation of HIPAA.  A sentencing date has not yet been set, but each faces a maximum penalty of one year imprisonment, a fine of not more than $50,000, or both.

The doctor in question admitted that after watching news reports on television about the death of a television reporter he accessed the patient’s medical record from his home computer by logging on to the hospital’s patient records to determine if the news reports were accurate.  He admitted that he had received HIPAA training from the hospital and that he understood he was violating HIPAA when he accessed the patient’s file. (As an internal disciplinary measure independent of this Government enforcement action, the hospital suspended his privileges for two weeks and required him to complete additional HIPAA training.)
   
Two other hospital employees, one an account representative and the other an emergency room unit coordinator, were similarly trained on HIPAA privacy laws. Nevertheless, one accessed the patient’s file approximately twelve times over a period of two days without any legitimate purpose, and the other accessed the patient’s file three times after she was told to create an alias for the patient and became curious about the patient’s condition.  Again, in keeping with HIPAA’s requirement that providers discipline employees who violate HIPAA, the two hospital employees were both fired from their positions. All three employees admitted that they were motivated by their own curiosity in accessing the patient medical records.

Jane W. Duke, the United States Attorney for the Eastern District of Arkansas, stated, “The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others’ medical records merely to satisfy their own curiosity.”

The lesson here is that even seemingly minor HIPAA breaches can give rise to criminal prosecution.  Significantly, the hospital in question was not itself charged, and these cases reinforce the importance of employee HIPAA training and consistent enforcement of a provider’s own HIPAA policies.  The benefits of such HIPAA policies and training apply equally to large institutional providers of healthcare and private physician practices alike.  If you have any questions about whether your HIPAA policies are up to date or HIPAA policy enforcement, please contact us.