Implications of first HIPAA court case
The ink was barely dry on the recent sentencing of a health care worker to prison for 16 months when the debate began over the implications of the case, which was the first criminal prosecution brought under the Health Insurance Portability and Accountability Act (HIPAA).
In November in Seattle, WA, U.S. District Court Judge Ricardo Martinez sentenced 42-year-old, former lab technician Richard Gibson to the maximum time under federal sentencing guidelines for stealing the social security number and other identifying information from a cancer patient he treated.
The maximum sentence handed down to Gibson was actually four months longer than prosecutors had asked for, because he had used the information, from patient Eric Drew, to live the high life.
"It's true you didn't murder anyone," said Martinez at the sentencing, but "in a very real sense you committed a vicious attack on someone who was fighting for their life. You did so for probably the most basic reason of all, greed."
Martinez also said: "This court considers your behavior in this case to be some of the most deplorable I've seen in 15 years on the bench."
Emily Langlie, director of public affairs at the U.S. Attorney's Office in Seattle, explained that Prosecuting Attorney Susan Loitz had decided to prosecute Gibson under the HIPAA law because Drew was a cancer patient at the time the identity theft occurred. Loitz chose HIPAA over the identity theft statute because of the vulnerability of the patient. At the time of the decision, there were no differences in the penalties faced by Gibson.
Kirk J. Nahra, a lawyer at Wiley Rein & Fielding, who also acts as general counsel at the National Health Care Anti-Fraud Association, speculated that while Gibson could have been charged under other federal criminal statutes, "presumably, this Department of Justice effort was prompted to some degree by a desire to be first, as well as to make the point that individuals can be prosecuted."
Another interesting aspect, according to Nahra, was the decision to use HIPAA to prosecute an individual who, by himself, is not a "covered entity" under HIPAA. Rather, he is an employee of a covered entity, the Seattle Cancer Care Alliance.
"This should be a reminder to anyone in the healthcare industry about personal responsibility and the possible exposure for abusing protected health information," he added.
As part of his sentence, Gibson will also be required to pay at least $15,000 in restitution, including reimbursing Drew for the time and money he spent trying to clear his name.
The 37 year-old victim Drew, a mortgage banker from the Silicon Valley area, told the court that while he was in a hospital bed, weak from the massive doses of chemotherapy, he started to receive letters of thanks from new creditcard accounts, which he had not opened.
"I felt completely ignored, frustrated and totally violated," he said in a videotaped statement played in court. "Nobody seemed to care about this situation, and my doctors and family wanted me to drop it because they were worried about the huge amount of stress this was placing on me. They were afraid it would actually cause my impending bone marrow transplant to fail."
Drew told the court he knew from the beginning that it was someone at the clinic who had acquired the data, because he had no other connections in Seattle.
After his transplant in December 2003, Drew began visiting the Seattle Police Department, banks and the post office, but said he had received little help from the authorities.
Unhappy with the local police, Drew called the Justice Department in Washington D.C., which referred him back to the U.S. Attorney's Office in Seattle. A local TV reporter jumped on the story and, in just three weeks, obtained video of someone (Gibson) making fraudulent purchases.
Nahra said this incident should remind companies that the largest threat to their customers' privacy might come from their own employees. As a result of this threat, companies might wish to increase their training and education, as well as expand on internal compliance.
Joseph Granneman, manager of networking and data security at Rockford Health Systems, agreed that having policies in place, whereby employees sign confidentiality agreements, and receive training were very important, but "there's no technology that could have stopped this [crime]."
"It's scary because your people are your weakest link. We don't have any content filters for human beings. It's tough," he added.
Rebecca Williams, a registered nurse and an attorney, who is co-chair of the HIPAA Task Force within law firm Davis Wright, believed the defendant chose the lesser of various evils in pleading guilty to HIPAA, as opposed to other possible crimes.
"This is the first criminal conviction under HIPAA, but much remains to be learned about what will constitute a crime under this law and how the government will prosecute such crimes," she said.
"Because this case involved identity theft which happened to take place within the health care industry, many do not view this as a 'true' HIPAA case," she continued.
"Of course, this is the first HIPAA criminal penalty imposed. The success may give the government additional confidence in moving forward with other cases."