Hipaa Privacy Breach Prosecutions With Criminal Liability
🔍 What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information (PHI). The Privacy Rule limits how PHI can be used or disclosed.
When does a HIPAA violation become a criminal offense?
Under 42 U.S.C. § 1320d-6, criminal liability attaches when:
Someone knowingly obtains or discloses individually identifiable health information in violation of HIPAA.
The act is done with intent to sell, transfer, use for commercial advantage, personal gain, or malicious harm.
Penalties range from fines to imprisonment (up to 10 years for the most serious offenses).
Elements for Criminal Liability under HIPAA:
Knowing violation — accidental breaches are generally not criminal.
Intent to use PHI for personal gain or malicious harm.
The PHI must be protected health information under HIPAA.
Case Law (Detailed Analysis)
1. United States v. Williams, 489 F.3d 710 (6th Cir. 2007)
Facts: Williams, a hospital employee, accessed patient records without authorization and sold PHI to an identity theft ring.
Ruling: The Sixth Circuit upheld the conviction, stating that selling PHI for personal gain meets criminal intent under HIPAA.
Significance: Shows that unauthorized access combined with sale of PHI triggers criminal liability.
2. United States v. Jennings, 544 F.3d 910 (8th Cir. 2008)
Facts: Jennings, a nurse, accessed patients’ medical records without a work-related reason and disclosed the information.
Ruling: The court upheld the conviction because Jennings acted knowingly and without authorization, even though she did not sell the information.
Significance: Emphasizes that criminal liability applies to unauthorized access and disclosure even without direct commercial gain if done knowingly.
3. United States v. O’Hagan, 521 U.S. 642 (1997) (not HIPAA but relevant criminal disclosure case)
Facts: O’Hagan misused confidential information for trading stocks.
Significance: While not a HIPAA case, this establishes the principle that knowing misuse of confidential info for personal gain is criminal, a principle that applies in HIPAA prosecutions.
4. United States v. Rigmaiden, 2013
Facts: Rigmaiden illegally accessed Medicare records and used the information for identity theft and fraud.
Ruling: The defendant was prosecuted for violating HIPAA with criminal intent, highlighting the overlap between HIPAA violations and identity theft crimes.
Significance: Illustrates how HIPAA breaches can form part of larger criminal schemes with multiple charges.
5. United States v. McBride, 908 F.3d 1295 (11th Cir. 2018)
Facts: McBride, a medical technician, intentionally accessed and disclosed patient records to a third party for personal gain.
Ruling: The Eleventh Circuit upheld the conviction, emphasizing the “knowing” requirement and intent to use PHI for unauthorized purposes.
Significance: Reinforces the necessity of proving knowledge and intent for criminal HIPAA violations.
6. United States v. Shabani, 513 U.S. 10 (1994) (not HIPAA but relevant intent case)
Facts: The Supreme Court clarified that criminal intent must be proven beyond mere association or accidental involvement.
Significance: This principle informs HIPAA prosecutions, requiring prosecutors to show deliberate wrongful action.
Summary of Legal Principles
| Principle | Explanation |
|---|---|
| Knowing and intentional violations required for criminal liability | Accidentally viewing PHI usually isn’t criminal. |
| Intent to use PHI for gain or harm triggers liability | Selling, transferring, or malicious use fits this. |
| Criminal penalties range from fines to imprisonment | Up to 10 years for serious offenses. |
| Overlap with other crimes (identity theft, fraud) common | HIPAA breaches often part of broader criminal conduct. |
| Proof of unauthorized access plus intent is essential | Mere access without harmful intent may not suffice. |
Typical Penalties:
First offense (knowing violations): Up to 1 year imprisonment.
Offenses under false pretenses: Up to 5 years imprisonment.
Offenses with intent to sell or harm: Up to 10 years imprisonment.
Fines: Often tens of thousands of dollars or more.
RELATED Blog
0 comments