Remember the HIPAA violation charge against the Alabama woman who stole PHI from more than 4,000 surgery patients at Trinity Medical Center in Birmingham, Alabama. This case marked the first time that the DOJ has charged someone with a HIPAA violation who is not connected in any way to a covered entity. In this case the woman is alleged to have been visiting a hospital when she took the documents.
The HIPAA charge against the Alabama woman, prior to the HITECH Act may not have occurred or may have been substantially more difficult to file. individuals. If convicted, this woman could be jailed for 10 years and fined $250,000 for just the HIPAA charge. However, under the June 28 indictment there are added charges of “possessing stolen mail, attempting to commit bank fraud, misusing someone else’s Social Security number, and aggravated identity theft.”
Prior to the HITECH Act, Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)), “Wrongful disclosure of individually identifiable health information,” read:
(a) Offense, – “A person who knowingly and in violation of this part–(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided” in later sections.
“Sec. 13409. Clarification of Application of Wrongful Disclosures Criminal Penalties,” which applied criminal penalties to individuals. It states:
“Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: ‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.”
Prior to this change, only CEs and certain individuals working for them were directly liable for criminal charges. The expansion not only means the outsiders can be liable, but low-level employees now can be subject to direct prosecution.