Jail Term for Employee Underscores Importance of Hawaii Employers Complying with HIPAA

In June 2009, a 22-year-old Honolulu mother of three young children was sentenced to a year in prison for illegally accessing another woman's medical records and posting on a MySpace page that she had HIV.

The State of Hawaii brought charges against the woman under a state statute criminalizing the unauthorized access to a computer; and which categorized the conduct of the defendant as a class B felony.

According to accounts of the incidents that led to the woman’s conviction, there was a feud between the victim and the victim's sister-in-law, a friend of the defendant.  The defendant, who worked as a patient service representative at the hospital where the victim was a patient, accessed the computer for the victim's sister-in-law.

Over the course of approximately ten months, the defendant accessed the patient's medical records three times through a computer.  After she learned of the victim's medical condition, the defendant posted on her MySpace page that the victim had HIV.  In a second posting, she said the victim was dying of AIDS.

The victim complained to hospital officials of the unauthorized access. After an internal investigation the hospital terminated the defendant’s employment.

The defendant’s conduct, of course, was egregious and inexcusable.  The one-year jail term handed down by the Court exceeded the term recommended by the prosecutor.  Nevertheless, beyond the issue of holding the defendant accountable for her actions some may question to what extent the hospital should bear responsibility for the breaches of confidentiality that occurred.

Federal law imposes statutory burdens on health care providers to protect against the improper use or disclosure of private health information and to reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.

 Specifically, the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) privacy regulations became effective on April 14, 2003.  HIPAA is intended to protect consumers’ health information, allow consumers greater access and control to such information, enhance health care, and finally to create a national framework for health privacy protection.  HIPAA covers health plans, health care clearinghouses, and those health care providers that conduct certain financial and administrative transactions electronically.

In addition to the privacy regulations, HIPAA’s security rules became effective on April 21, 2005.  Together the privacy and security regulations are the only national set of regulations that governs the use and disclosure of private, confidential and sensitive information.

Under HIPAA’s Security Rule, the standards for the protection of electronic information covered by HIPAA are divided into three groups: Administrative safeguards, Physical safeguards and Technical safeguards.

A couple of the most significant required safeguards under HIPAA are the Administrative “Sanction Policy” and “Security Awareness Training” safeguards.  The sanction policy standard requires a communication to all employees regarding the disciplinary action that will be taken by the covered entity for violations of HIPAA.  The sanction policy should have a notice of civil or criminal penalties for misuses or misappropriation of health information and make employees aware that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure organizations.

The security awareness training standard requires all employees, agents, and contractors to participate in information security awareness training programs.  Based on job responsibilities, the covered entity should require individuals to attend customized education programs that focus on issues regarding use of health information and responsibilities regarding confidentiality and security.

The HIPAA privacy and security regulations require a privacy officer and security officer to be designated by the covered entity.  The privacy and security officer should continually analyze and manage risk by thoroughly assessing potential risks and vulnerabilities, and implementing related security measures.

The U.S. Department of Justice (“DOJ”) clarified the penalties that may be assessed and against whom for HIPAA violations.  Covered entities and individuals whom "knowingly" obtain or disclose individually identifiable health information in violation of HIPAA may be fined up to $50,000, as well as imprisonment up to one year.

Offenses committed under false pretenses allow penalties to be increased--a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Given the security breach that led to the tragic events, including the one-year jail term for the defendant, Hawaii employers, health care providers and health plans should review their privacy and HIPAA policies and conduct an audit of their practices in order to protect against the improper use and disclosure of private health information and to reduce the risk of privacy breaches in their own organization.