I was asked to comment for a story about a recent case in Texas in which criminal charges were filed against an individual for the misuse of Protected Health Information (“PHI”). Criminal charges have been available under the Health Insurance Portability and Accountability Act (“HIPAA”) since it went into effect in 2003. However, as the law enters its second decade, we are seeing both the regulators and the regulated coming to understand privacy and security better, to include the harms involved with noncompliance. This story made me think it might be helpful to provide a brief summary of the legal risks in both the civil and criminal context for failing to comply with HIPAA.
Regulatory Action and Civil Penalties. Probably the most common enforcement actions we have seen have come from the Office of Civil Rights (“OCR”), which is tasked with HIPAA enforcement by the Department of Health and Human Services (“HHS”). In recent years, we have seen the OCR file more actions resulting in bigger and bigger penalties for organizations with compliance failures. Under HIPAA, OCR may impose a penalty for a failure to comply with a requirement of the HIPAA Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
|For violations occurring prior to 2/18/2009||For violations occurring on or after 2/18/2009|
|Penalty Amount||Up $100 per violation||$100 to $50,000 or more per violation|
|Calendar Year Cap||$25,000||$1,500,000|
The OCR will not impose penalties if the failure to comply was not due to willful neglect and if the error was corrected within thirty (30) days of the regulated entity having notice of the issue, or being in receipt of written notice of the violation from the OCR. Likewise, if the Department of Justice is pursuing criminal actions under HIPAA, the OCR will not impose civil penalties. If the OCR is going to impose penalties, covered entities still have right to an administrative hearing to review the alleged violations.
Criminal prosecution. Under HIPAA, the prosecutions of individuals under its criminal provisions are handled by the Department of Justice, not the OCR. Also, as the charges are criminal, they implicate an individual, as opposed to an organization, such as a covered entity or business associate. In order for someone to be convicted under HIPAA, a person must be proven to “knowingly obtain or disclose individually identifiable health information” in violation of the Privacy Rule.
|Knowing misuse of PHI||$50,000||1 year|
|Knowing misuse of PHI, including false pretenses||$100,000||5 years|
|Knowing misuse of PHI, with intent to sell transfer or use PHI for commercial advantage, personal gain or malicious harm||$250,000||10 years|
In the Texas case, it would appear the stakes are of the highest order. The individual was charged with the wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. As I shared in the article, the “honeymoon” is indeed over. Companies and individuals, alike, are on notice to comply with HIPAA, and vigilantly work to keep up with emerging risks and threats to PHI in their possession.
July 23, 2014
In the privacy space, representatives from around the world have debated the need for a national identifier. Security folks argue that times are just too dangerous not to have one number by which law enforcement and other agencies can quickly track and identify people (both good and bad). Privacy advocates warn against the creation and use of such information for obvious reasons, to include the exponential increase in the ability to not only identify people, but linking individuals across numerous databases and having that information used, sold or hacked for what can be innumerable harms.
Of course, as most of us know, for years the United States has been using a defacto national identifier: the Social Security Number (“SSN”). Sure, we don’t call it an identifier, but that is essentially what it has become, even though the back of each card reads, “not for purposes of identification.” Yet, for the last 30-40 years, that is all we have done. When I was in boot camp in the 90′s, I shouted out my SSN or “service number” three times a day in line to get fed at the chow hall. I still have the Army duffle bag upon which my SSN was stenciled for the world to see as I traveled from post to post. (I have since redacted, of course). This past week, after I gave a talk on privacy, a gentleman raised the issue that, if the SSN is only required to be used for a finite number of express purposes such as those required by the IRS or other federal agencies, why do so many businesses and agencies not only use it, but even require it to provide services? The answer is pretty easy. It is the one identifier that can isolate you from everyone else in the United States. It is, indeed, being used “for purposes of identification,” and there are relatively few limitations on whether a company can demand a SSN for services to be rendered or not. Furthermore, people choose to give up the number, either because they really want the service, don’t care, or think they have no other choice.
June 30, 2014
Privacy Enabling Technologies or “PET’s” are those technologies that provide options for using personally identifiable information (“PII”) of individuals. These individuals can be customers, employees or patients. Furthermore, your company may collect such information in a regulated industry, such as financial services (GLBA) or healthcare (HIPAA), or possibly through customers online through a website. PET’s are most commonly thought to be implemented to provide the security of such information against unauthorized disclosure. Such protective PET’s would include encryption, access controls, integrity controls or secure destruction technology. However, there are those PET’s that serve to not only safeguard privacy, but also enable expanded use of such information. De-identification is one such PET.
June 16, 2014