There are 2.2 million people incarcerated in the United States. They spend their days behind bars because of a crime that they committed until they’ve fully served their sentence.
Sentencing depends on the severity of the crime committed. Once sentenced, prisoners are then referenced as a number on an orange jumpsuit among many. How they all got there stays mostly anonymous. The one main thing that every prisoner has in common is that they’re all serving their time in the same place to reflect and reform themselves.
Sure, that last paragraph was rather poetic. It also stated a lot of information you already know, everyone knows jail exists as a place for criminals to reflect on their past transgressions. What they did in their past life lead up to this point, whether they know what they were doing was right or wrong. It’s also not a “fun” experience.
No one actively wants to go to jail so people abide by the law to avoid it.
I’m not here to explain to you some of the most common-sense laws that exist and the penalties you may face if you don’t follow them, I’m not a lawyer. Instead, I’m going to help explain the penalties you could face for a law that’s specific to one industry in particular.
The Health Insurance Portability and Accountability Act (HIPAA) exists to protect patient privacy and ensure that organizations secure their information. Although it’s mostly enforced on an organizational basis, there have been instances where the Office of Civil Rights (OCR) penalized an individual.
Thus, if you’re required to follow HIPAA because of where you work and you commit a violation, the OCR’s penalty could extend to you.
If you’re reading this blog post, that’s exactly what you’re trying to figure out. Maybe you want to prepare yourself just in case you ever commit a violation in the future. Or, potentially you’ve already breached HIPAA and want to know what to expect before you receive your penalty.
Either way, the ultimate question is, “Can you go to jail for a HIPAA violation?”
Throughout this blog post, I’m going to throw in real-world examples of HIPAA violations where the penalties affected the people who committed them on an individual level. Mentioning any scenarios where the OCR disciplined on an organizational level falls outside of scope.
Table of Contents
Cases Where You Won't Go
After reading the last paragraph in the section above, I need to confess that I don’t have a “real-world” example to explain cases where you won’t go to jail for committing a HIPAA violation.
In other words, I can’t provide you a link to a story that a well-known news outlet covered in this section because they’re small-scale violations.
However, that doesn’t mean that these violations don’t happen. They’re the most common form.
The reality is that the average number of breaches per day that affect 500 records or more is 1.76.
Why is the cutoff for that statistic 500?
Although the OCR requires organizations to report all HIPAA violations to them, they only make the list of those that affect 500 or more public.
They don’t make the smaller breaches public for two main reasons.
First, the OCR only requires that organizations report these to them on an annual basis, no later than 60 days into the next calendar year. For those breaches that affected 500 or more records, the OCR mandates that the organization involved report what happened “without reasonable delay and in no case later than 60 calendar days from the discovery...”
Second, it’s because smaller breaches happen so often.
No national news outlet is going to cover a story of a doctor gossiping about their patient to someone who wasn’t authorized. Although gossiping is one of the leading causes of a HIPAA violation, it usually only affects a small number of patients.
I’m not trying to dismay the severity of that type of behavior, it’s still inappropriate.
However, it’s not an action where that’s going to get you sentenced to “the big house”. You could lose your job, though.
This is a good point in the blog to mention how the OCR determines penalties. Usually, the OCR penalized the organization via a monetary fine. The amount of money requested depends on the nitty-gritty details of what happened. From those, the OCR will categorize the violation within four tiers. Each tier has a fine associated with it.
Each tier used to have an annual limit of $1.5 million. In 2019, the OCR significantly restructured the penalties associated with each tier.
I know that this is mostly about organizations who commit HIPAA breaches. Knowing this will help you understand what could happen on an individual level. I’ll cover this in the next section.
Cases Where You Will Go
Now you know the civil penalties that the OCR doles out based on what they find during their investigation of the organization where a breach occurred.
Even though those penalties are the most common, it doesn’t mean that the individual who committed the violation is off the hook.
The OCR has tiers defined for criminal penalties.
Now you understand why I went over the civil penalties in the previous section. Even though every HIPAA breach is different, the OCR uses their predefined tiers to make it easier for them to give judgment.
Going to jail for a HIPAA violation doesn’t happen often, it only happens in rare cases. Whether you go or not largely depends on your motive behind what you did and whether or not you knew that what you were doing was wrong.
Purposefully Stealing PHI Leads to Arrest
In February of 2017, a former behavioral health analyst for Transformations Autism Treatment Center (TACT) downloaded 300 files of PHI after termination. The former employee gave his personal email address access to a shared Google Drive that contained PHI files of TACT patients.
Roughly one month after his actions, TACT realized that someone remotely accessed and downloaded some of their PHI. As a result, TACT reached out to the FBI and launched an investigation with them.
Investigators were able to pinpoint the former employee as the bad actor by tracing the actions back to the IP address of his personal computer.
Once law enforcement went to his house and found his personal computer they located the stolen data from TACT. They also found additional PHI files from his employer before TACT. In other words, this wasn’t the former analyst’s first time stealing sensitive data from where he used to work.
As a result, the court case that followed sentenced the former employee to 30 days in prison and a $14,941.36 fine.
This case serves as a precedent for future scenarios involving employees stealing PHI from their employer to sell it on the black market. Bad actors put a high price tag on sensitive data like PHI, which might lure disgruntled workers to try and steal it for monetary gain.
If the former analyst accidentally downloaded TACT’s PHI onto his personal computer, notified the organization and worked with them to wipe it from his hard drive he probably wouldn’t have faced such a harsh penalty.
Instead, he went to jail because of his motive and that he knew what he was doing was wrong.
Healthcare Professional Loses License in Scheme
A 65-year-old gynecologist in Massachusetts faced up to 6 years in jail and a $300,000 fine for lying to federal investigators and breaking the HIPAA Privacy Rule.
The gynecologist gave a pharmaceutical sales rep across to PHI to complete pre-authorization forms for insurance companies that weren’t approving prescriptions for Warner Chilcott’s osteoporosis drugs.
Further, the healthcare professional faced accusations of receiving over $23,000 to prescribe drugs produced by the pharmaceutical company. Instead of admitting to receiving payment, the gynecologist reassured federal investigators that the money was for speaking at educational events and for writing a research paper.
To make matters worse the professional told the sales rep to tell the same lies to back up her story.
When sentencing came for this case the judge was rather lenient. The gynecologist didn’t face any fines, only needed to serve one-year probation and permanently lost her license. Her sentencing wasn’t as bad as it could’ve been. The judge opted for a lesser sentence because of the gynecologist’s charitable work history in helping impoverished women in her area.
Stealing Financial Information Instead of PHI
Sometimes crime that isn’t directly related to PHI occurs within the healthcare space.
From 2016 to 2017 NHC Health Care nursing home had an employee logging into their computer system to access and steal the financial information of its patients. The employee used the stolen data to her advantage by purchasing multiple different items for herself and her family.
The court scheduled her sentencing hearing for June 21, 2018. The expectation was that she would spend up to 10 years in prison, pay a $250,000 fine and pay restitution for the victims of her fraud scheme.
There are similarities between the criminal acts she committed and the first real-world example I gave earlier. However, her motive wasn’t to sell PHI on the black market. Instead, she actively recorded and used financial information of the patients staying at the nursing home she worked at.
Conclusion
Although going to jail for a HIPAA violation isn’t common, it’s not a ruling that’s out of the picture.
It’s safe to say that you aren’t going to go to prison for a “lesser” breach. Although every violation that occurs isn’t something to brush off, there’s no denying that certain ones are more severe than others.
What determines whether or not you’re going to go to jail after breaking the biggest law in healthcare is your intentions behind what you did.
If you accidentally opened a patient’s chart that you shouldn’t have, you’re most likely not going to face criminal charges. You might face some discipline from your employer, but it might’ve been the IT department’s fault for giving you too much access within the organization’s system.
If you happen to find yourself in a scenario where you got a little too comfortable with the sensitive information you worked with and/or decided to commit a negligent or criminal act, I have bad news for you. You could face a criminal hearing and sentencing.