| |||||||||||||||
|
Home
|
For other articles and previous issues click here. November 22, 2004 HIPAA Gavel
Drops — A Message to Healthcare An employee of a Seattle cancer center became the first privacy law prosecution. The case also could have been prosecuted as identity theft and credit card fraud. That it became a HIPAA case wasn’t a fluke. A man pleading guilty to violating HIPAA’s confidentiality rules could serve as a wake-up call for many in the healthcare industry. In mid-August, Seattle phlebotomist Richard Gibson, 42, admitted that he had obtained personal protected health information about a cancer patient that gave him the ammunition to use four of that patient’s credit cards in racking up more than $9,000 in charges. Gibson was an employee at the Seattle Cancer Care Alliance and in essence performed an identity theft on the unsuspecting patient to buy video games, jewelry, and other items, according to the U.S. Attorney’s Office. Plea Deal The fact that the federal government elected to prosecute Gibson for violating HIPAA rules was surprising and unique, according to many law experts. If the case had followed a more typical scenario, Gibson would have been prosecuted for credit card fraud and identity theft. But because he was employed by the cancer center—a “covered entity” under the privacy rule—HIPAA was invoked. That should send a message to hospitals and healthcare systems and practices across the country. Brian Annulis, an attorney with the Michael Best & Friedrich LLP law firm headquartered in Chicago, says this move by the U.S. Attorney’s Office should tell healthcare administrators that the government is serious about HIPAA. He believes this is the government’s strongest legal message yet concerning a HIPAA infraction. “HIPAA includes a criminal provision that hospitals would not be subject to, but they could be subject to the civil provision,” says Annulis, whose firm specializes in working with healthcare clients around the country. “Identity theft is something that has been rearing its ugly head in our country for a few years now, but the fact that the government decided to use HIPAA means they wanted to get their point across and to get some media attention. If this was just a regular $9,000 identity theft case, it wouldn’t even make the newspapers, but this was meant to send a ripple throughout the industry.” Annulis says the civil monetary penalties handed out by the government to healthcare entities cannot exceed $1,000 per offense or $25,000 total per year, but the penalties in a civil suit brought against a healthcare entity by an individual are limitless—and, in certain cases, could mean a multimillion-dollar lawsuit depending on how the crime was committed and how much money or credit was stolen. This case isn’t the first time a hospital or healthcare employee has used information obtained from their job to steal from a patient via identity theft. However, Annulis says this is the first time the government has prosecuted a case invoking HIPAA’s privacy component. What’s It Mean? “The federal law only requires that healthcare facilities go through a HIPAA training program up front, but we tell our clients—whether physician practices, home healthcare organizations, or hospitals—to take a HIPAA training program annually. We also tell them to educate their employees about any changes,” says Mike Fleischman, vice president and principal of Gates Moore & Company in Atlanta, a consulting firm that provides strategic and operational physician practice management and tax and accounting services. The government indicated that the serious nature of this crime played a role in the penalties it was seeking. “Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life and having to cope with identity theft is just unconscionable,” says U.S. Attorney John McKay. “This case should serve as a reminder that misuse of patient information may result in criminal prosecution.” U.S. Attorney Public Affairs Officer Emily Langlie says government lawyers examined the statutes that could be brought against Gibson, and it was determined that the amount of time served and penalties levied were similar whether it was tried under HIPAA or under credit card fraud laws. Since Gibson was a phlebotomist who blatantly stole from a person who was relying on the healthcare system to treat a serious ailment, Langlie says the HIPAA angle was appropriate. “There is always an interest in deterrence, and this is certainly a case that had more attention than it would have had it been tried under a different statute,” she says. Warning Shot Dan Rode, vice president for policy and government relations for the American Health Information Management Association, says that as of September, the Office of Civil Rights has turned a number of cases, perhaps as many as 30 to 40, over to the U.S. Justice Department that could be prosecuted under HIPAA laws. Rode also says the Department of Justice looks at identity theft complaints that arise out of a healthcare setting, gain additional evidence, and formulate how the case should be prosecuted. “This may be the first of a number of cases that are treated in this manner,” Rode says. “What this case in Seattle has shown us is that the prosecution under HIPAA is accepted well.” Annulis says it is virtually impossible for healthcare administrators to prevent a HIPAA violation if an employee decides to break the law. But any civil penalties levied against that entity could be significantly lessened or dropped altogether if investigators determine that facility administrators took reasonable steps to prevent the violation. Such steps include conducting a complete criminal and credit background check on all new employees. These checks cost money, but Fleischman says it is a basic function of the hiring process these days that all organizations, whether in healthcare or not, should take. “We have laws here in Georgia where certain violations can be prosecuted under HIPAA and state ID theft [statutes],” he says. Fleischman adds that some healthcare organizations are still ill-equipped to deal with HIPAA regulations and that some are buying privacy manuals for the first time. He notes that one area that could incite a HIPAA violation and warrants attention is security. “Organizations have to make sure they are up-to-date with their internal security standards,” he says. The electronic security standards will be enforced beginning next year. Preparation is more than half the battle, according to Annulis. And healthcare organizations should understand how serious the government is taking the Seattle case because of the lightning speed with which the case moved through the courts. “What you want to be able to do when the FBI or the police come to your door is cooperate with them and show them your compliance plan and how every employee has documentation of the plan,” says Annulis. “They want to be able to say, ‘We did all that we could.’” No Track Record “For the first time, we have a case that demonstrates the government’s interest in pursuing the HIPAA law,” says Rode. “That is significant for every organization [in the industry].” — Mike Scott is a freelance writer who has contributed to more than 70 magazines, newspapers, and Web sites on numerous topics—from business to healthcare to technology. He lives in Waterford, Mich. |
 |
|
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of Radiology Today All rights reserved. |