Grievous HIPAA violations can lead to dire consequences.
As part of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 21, 1996) (HIPAA), Sections 261 through 264 required the HHS Secretary to create both privacy and security standards regarding protected health information. The Privacy Rule was initially published in the Federal Register on December 28, 2000, with subsequent modifications to the Privacy Rule being published on August 14, 2002. Hence, Privacy Rule requirements are not new. The HIPAA Enforcement Rule (71 Fed. Reg. 8390 (Feb. 16, 2006)), as well as the HITECH Act Enforcement Interim Final Rule and the Final Omnibus Rule (78 Fed. Reg. 5566 (Jan. 25, 2013)), have provided HHS-OCR with the option of imposing penalties – both civil and criminal.
Before delving into a recent enforcement action, whereby criminal HIPAA penalties were assessed, it’s important to appreciate that the U.S. Department of Justice (DOJ) is responsible for criminal prosecutions for violations of the Privacy Rule, Security Rule, and Breach Notification Rule (collectively “HIPAA Rules”) – not HHS-OCR. HHS-OCR’s jurisdiction covers four tiers of possible civil penalties, which may be assessed. The four categories used for the penalty structure are as follows:
Now that the background has been established, let’s turn to a December 2021 DOJ criminal HIPAA enforcement action, which involved a medical biller and the theft of protected health information (PHI). According to the December 3, 2021 press release, which led to the medical biller pleading guilty to four counts of healthcare fraud, four counts of aggravated identity theft, one count of filing a false federal income tax return, and two counts of failing to file federal income tax returns, the following facts were set forth in the court documents:
The end result? The perpetrator “faces a maximum penalty of 10 years in federal prison for each healthcare fraud count, a 2-year mandatory consecutive sentence on the aggravated identity theft counts, a maximum penalty of 3 years for filing a false income tax return, and up to 2 years for each failure to file an income tax return offense.” The Government also informed him that it seeks to forfeit $2.2 million in funds and real property – all of which were traceable to the ill-gotten gains of his alleged offenses.