Healthcare data breaches and unauthorized access to protected health information (PHI) have become increasingly common in recent years, with many cases involving employees misusing their access privileges. While HIPAA violations by employees may seem like a relatively minor offense, the consequences can be severe, including hefty fines and even jail time.
The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation designed to protect the privacy and security of sensitive patient information. When employees violate HIPAA, the potential penalties can be severe, ranging from financial penalties to criminal charges and even jail time. These penalties serve as a warning to healthcare workers, indicating the need for strict adherence to HIPAA guidelines and the consequences of non-compliance.
The financial penalties for HIPAA violations can be substantial, with fines of up to $250,000 and a maximum jail term of 10 years for the most egregious offenses. In addition, employees may face further penalties for aggravated identity theft, which can add an additional 2 years to their sentence.
While HIPAA violations by employees may not always result in criminal charges, there have been several cases where the Department of Justice has become involved, leading to jail time for the perpetrators. These cases serve as a reminder that the misuse of PHI can have far-reaching legal implications, and healthcare organizations must take proactive measures to prevent such breaches from occurring.
Read more: Understanding HIPAA violations and breaches
In 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) in Tennessee was discovered to have stolen the protected health information of 300 patients following his termination. Jeffrey Luke, 29, had accessed a TACT Google Drive account containing patient PHI and downloaded the information onto his personal computer. Luke was sentenced to 30 days in jail and three years of supervised release, in addition to being ordered to pay $14,941.36 in restitution.
Stacey Lavette Hendricks, a former employee at a medical clinic in Florida, was found to have used her access to patient information to obtain and sell patient data to identity thieves. Hendricks was arrested when she attempted to sell stolen patient data to an undercover law enforcement officer. She was sentenced in 2020 to 48 months in federal prison for her crimes.
In 2015, a hospital clerk named Monique Walker was discovered to have stolen the electronic PHI of 12,517 patients and sold the information to an identity theft ring for $3 per record. Walker pleaded guilty to grand larceny and was sentenced to six months in jail, while the ringleader, Fernando Salazar, received a sentence of 3.5 to 7 years.
Albert Torres, a clerk at the Veteran Affairs Medical Center in Long Beach, California, was sentenced to 4 years in state penitentiary in 2018 for the theft of the protected health information of more than 1,000 patients. Police pulled over Torres, and they found prescriptions in the vehicle in other people's names, as well as the Social Security numbers and other PHI of 14 individuals.
In 2018, a former receptionist at a New York dental practice, Annie Vuong, 31, was sentenced to serve between 2 and 6 years in state penitentiary for stealing the protected health information of at least 653 patients. Vuong had abused her access rights and passed the stolen data to her co-defendant, Devin Bazile, who used the information to obtain credit lines and make high-value purchases.
While jail terms for HIPAA violations by employees are relatively rare, there have been cases where individuals have come dangerously close to serving prison sentences for their actions.
Sue Kalina, a former patient care coordinator at the University of Pittsburgh Medical Center (UPMC), was sentenced to one year in jail for accessing patients' medical records without authorization and using the information to cause malicious harm. Prosecutors had sought a jail term of between two and six years, but Kalina's sentence was ultimately reduced to one year.
Gynecologist Rita Luthra of Longmeadow, Massachusetts, was convicted of criminal violations of the HIPAA privacy rule and obstructing a federal investigation into a kickback scheme. Luthra had given a pharmaceutical sales representative access to patient health information to complete pre-authorization forms. While she faced up to 6 years in jail, Luthra escaped a fine and sentenced to 1 year of probation, with the judge citing her work with disadvantaged women as a mitigating factor.
Go deeper: What are the penalties for HIPAA violations?
When an employee's employment contract ends or they are terminated, their access to all systems and shared accounts must be immediately revoked. Passwords should be changed, and any remote access capabilities should be disabled to minimize the risk of ex-employees accessing PHI after their departure.
Ongoing HIPAA training for all employees ensures that healthcare workers understand their obligations under the law and the potential consequences of non-compliance. The training should cover the proper handling of PHI, the reporting of potential breaches, and the consequences of violating HIPAA regulations.
Healthcare organizations should have well-defined sanctions policies that outline the penalties for HIPAA violations, ranging from verbal warnings to termination of employment. These policies should be consistently enforced to send a clear message about the seriousness of protecting patient information.
Read more: Preventing HIPAA violations
Yes, you can go to jail for violating HIPAA if you are found to have knowingly and wrongfully disclosed individually identifiable health information for impermissible use without authorization. The Department of Justice interprets "knowingly" as requiring only knowledge that the disclosure constitutes an offense, and the perpetrator doesn't need to be aware they are violating HIPAA.
The consequences of HIPAA violations can differ based on the severity and context of the breach. Consequences include civil fines that can vary from $100 to $50,000 per violation, reaching a maximum yearly penalty of $1.5 million for repeated violations of the same rule. In cases of intentional disregard, penalties can escalate, potentially leading to criminal charges. Such charges could incur fines of up to $250,000 and imprisonment for a maximum of 10 years for severe infractions.
If a potential HIPAA violation is suspected, it should be reported immediately to the organization's privacy or compliance officer. The incident should be thoroughly investigated, documented, and addressed according to established protocols. If necessary, affected individuals should be notified, and appropriate corrective actions should be taken.
Healthcare organizations can access resources such as guidance documents and toolkits provided by the Department of Health and Human Services (HHS), as well as industry associations and professional organizations specializing in healthcare compliance and privacy. Additionally, consulting with legal experts and compliance professionals can provide valuable insights and assistance in maintaining compliance with HIPAA regulations.
Learn more: HIPAA Compliant Email: The Definitive Guide