Prison terms for HIPAA violations predicted to rise
The threat of PHI data being used for criminal activities is expected to grow – 2014 saw numerous high profile breaches, many of them caused by hackers. However, as the move to ePHI continues, healthcare professionals and their business associates have legitimate access to thousands of patient records at their fingertips, and while the majority of these members of staff will treat this data with the privacy it deserves, unfortunately, there are a few individuals that will attempt to use this data illegally for personal gains.
This data is more easily accessible to these individuals as a result of developments in technology that allow them to access PHI without having to lay a hand on a physical paper record.
A recent HIPAA violation resulted in an 18 month prison term and a fine of $12,152 for Joshua Hippler; a former East Texas hospital worker who was prosecuted for the wrongful disclosure of individually identifiable health information, with the intent to sell, transfer and use for personal gain.
Accessing PHI without authorization is prohibited under HIPAA legislation, while the disclosure of this information to a third party is a criminal matter. The offense carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain. Given that Hippler pleaded guilty to allegations that he intended to sell this information, some may say he got off lightly with this sentence.
A webcast set to be broadcast on March 12 by www.healthcareinfosecurity.com will highlight the increased threat of PHI specifically being targeted. PHI is a valuable commodity – while credit card numbers with related CDI and PIN information are typically being sold at one dollar per record on the black market, comprehensive PHI credentials are reportedly worth up to $1,000 per record. With this information in mind, hackers may not be the biggest threat to an organization; it could be an employee with legitimate access to PHI who ends up being responsible for a data breach.
While the majority of HIPAA criminal charges have been lodged against individual employees, organizations are also at risk of being criminally prosecuted under HIPAA. Organizations with inadequate policies and procedures in place to prevent unauthorized access of PHI could face criminal charges. Similarly, an organization that is aware that an employee has accessed or disclosed PHI without taking the necessary actions to inform HHS may also make them liable for criminal charges to be taken against them.
Joshua Hippler is not the first employee to attempt to sell PHI, and he certainly won’t be the last. It is therefore crucial that regular checks are made to identify any unusual user behaviour when accessing ePHI, as well as restricting access to records, and using a secure document management system that is automatically generates an audit trail.