Reminder: HIPAA violations can be criminal

As part of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 21, 1996) (HIPAA), Sections 261 through 264 required the HHS Secretary to create both privacy and security standards regarding protected health information. The Privacy Rule was initially published in the Federal Register on December 28, 2000, with subsequent modifications to the Privacy Rule being published on August 14, 2002. Hence, Privacy Rule requirements are not new. The HIPAA Enforcement Rule (71 Fed. Reg. 8390 (Feb. 16, 2006)), as well as the HITECH Act Enforcement Interim Final Rule and the Final Omnibus Rule (78 Fed. Reg. 5566 (Jan. 25, 2013)), have provided HHS-OCR with the option of imposing penalties – both civil and criminal.

Before delving into a recent enforcement action, whereby criminal HIPAA penalties were assessed, it’s important to appreciate that the U.S. Department of Justice (DOJ) is responsible for criminal prosecutions for violations of the Privacy Rule, Security Rule, and Breach Notification Rule (collectively “HIPAA Rules”) – not HHS-OCR. HHS-OCR’s jurisdiction covers four tiers of possible civil penalties, which may be assessed. The four categories used for the penalty structure are as follows:

• Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
• Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).
• Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
• Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.

Now that the background has been established, let’s turn to a December 2021 DOJ criminal HIPAA enforcement action, which involved a medical biller and the theft of protected health information (PHI). According to the December 3, 2021 press release, which led to the medical biller pleading guilty to four counts of healthcare fraud, four counts of aggravated identity theft, one count of filing a false federal income tax return, and two counts of failing to file federal income tax returns, the following facts were set forth in the court documents:

• The perpetrator was a medical biller at a Clearwater, Florida company that furnished credentialing and medical billing services to its medical provider clients, where he had access to the company’s financial, medical provider, and patient information.
• The perpetrator was responsible for submitting claims to Florida Medicaid HMOs for services rendered by Physician 1 to Medicaid recipients.
• The perpetrator “abused his role as a medical biller by wrongfully access and utilizing the company’s patient information and Physician #1’s name and identification number, and using those to submit false and fraudulent claims.” (emphasis added).
• The perpetrator knowingly signed and filed a false federal 2019 income tax return substantially understating his income by reporting only his employment wages and not the substantial amounts of income, which were not a result of expenses, that were derived from his fraudulent activities.

The end result? The perpetrator “faces a maximum penalty of 10 years in federal prison for each healthcare fraud count, a 2-year mandatory consecutive sentence on the aggravated identity theft counts, a maximum penalty of 3 years for filing a false income tax return, and up to 2 years for each failure to file an income tax return offense.” The Government also informed him that it seeks to forfeit $2.2 million in funds and real property – all of which were traceable to the ill-gotten gains of his alleged offenses.