First Ever HIPAA Privacy Criminal Conviction

A former employee of a Seattle cancer center has pled guilty to criminal violation of the privacy-related provisions of the Health Insurance Portability and Accountability Act, P.L. 104-191 (“HIPAA”). The guilty plea represents the first ever criminal conviction under HIPAA’s privacy protections. Interestingly, the defendant was apparently not, himself, a “covered entity” under HIPAA. Thus, the case sends a signal that the federal government may seek to pursue even non-covered entities – including employees of covered entities and possibly “business associates” – for criminal prosecution even though HIPAA arguably does not apply directly to them. In addition, the data that was misappropriated was apparently financial and personal information from a health file, but not itself health-related information.

The facts of the case, as set forth in the plea agreement, can be summarized as follows. In October 2003, defendant Richard Gibson obtained the demographic information of a cancer patient from his employer, Seattle Cancer Care Alliance. Gibson then used this data to obtain credit cards in the patient’s name, eventually incurring over $9,000 in debt for items such as video games, apparel, and jewelry. According to news reports, the theft was uncovered in February 2004, at which point Gibson was fired from his job as a phlebotomist/lab technician at the cancer center.

The U.S. Attorney’s Office for the Western District of Washington charged Gibson under 42 U.S.C. § 1320d-6(a)(3) and (b)(3). These provisions provide that a person who knowingly, and in violation of HIPAA, discloses individually identifiable health information to another person with intent to “sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm,” may be fined not more than $250,000, imprisoned not more than 10 years, or both. The plea agreement in the Gibson case recommends a sentence of 10 to 16 months, plus restitution to be paid to the patient-victim, as well as to the credit card companies. The plea agreement was entered on August 19, 2004.

As noted above, perhaps the most interesting aspect of the case is that the defendant was not, apparently, a “covered entity” himself under HIPAA, but rather an employee of a covered entity. There is nothing to suggest that Seattle Cancer Care Alliance was itself implicated in the criminal prosecution. Thus, this case would appear to signal that some federal prosecutors believe HIPAA extends even to individuals or entities not generally viewed as subject to the law’s direct requirements. Under such an interpretation, for example, a “business associate” of a covered entity would appear vulnerable to felony HIPAA charges, even if the business associate is not itself a covered entity.

Such prosecution theories could be subject to legal challenge. In particular, it is an essential element of section 1320d-6 that the accused person disclose information in violation of the administrative simplification provisions of HIPAA (specifically, United States Code, Title 42, Chapter 7, Subchapter XI, Part C). The relevant part of the U.S. Code, however, arguably applies only to “covered entities,” i.e., health plans, health care clearinghouses, and health care providers who engage in electronic HIPAA transactions, so that unauthorized disclosures by others would not, by this interpretation, be violations of HIPAA. By this reasoning, unless one is a “covered entity,” it is not obvious how one can “violate” this part of the U.S. Code.

Because this case resulted in a guilty plea, the legal basis for prosecution was not tested, and other statutes might have been available to the government given the nature of the conduct.