Houston hospitals and their employees who allegedly sold confidential patient information that ended up in the hands of personal injury lawyers may face civil and criminal liability under federal patient privacy laws, healthcare lawyers said.
To date, no criminal charges have been filed under the patient privacy provisions of the Health Insurance Portability and Accountability Act since it went into effect in April. HHS' Office for Civil Rights, the agency charged with civil enforcement of HIPAA privacy provisions, has resolved nearly one-quarter of the 1,700 HIPAA-related complaints filed so far, but no civil monetary penalties have been assessed, an HHS spokesman said.
Last week, health lawyers and HIPAA experts predicted that could soon change and said an alleged Houston theft ring could be a test case for future HIPAA prosecutions.
In August, Juvenal Caballero Guerrero, a patient-care employee at Houston's Memorial Hermann Healthcare System, was arrested and charged by the Harris County district attorney with selling 15 medical records for $500 to a company called Industrial Safety Consultants, which investigates accidents. In the wake of that arrest, a patient admissions supervisor at Ben Taub General Hospital, also in Houston, was suspended without pay pending the result of an internal investigation into her alleged role in a similar patient records sale to the same company.
Assistant District Attorney Lester Blizzard said the investigation has unearthed "a vast organization dealing with a number of hospitals and numerous boxes of patient records." He said he expects more arrests and criminal indictments. His office is investigating whether Industrial Safety Consultants sold the patient records to personal injury lawyers, he said.
Houston lawyer Joel Androphy, who represents the owner of Industrial Safety Consultants, confirmed that the district attorney seized his client's records, but added, "If somebody says my clients were involved in selling any records, we would of course deny that."
To date, Blizzard said no other enforcement agency has joined the investigation. Guerrero, the only person arrested so far, was charged under Texas law with commercial bribery. Sources from the U.S. attorney in Houston, HHS' Office for Civil Rights and the U.S. Justice Department either could not be reached for comment or declined to confirm or deny any federal probes into the alleged patient records sale.
"Hospitals have a responsibility to maintain the confidentiality of their patient records under various statutes," Blizzard said. "It is incumbent upon them to do so."
Health lawyers and HIPAA experts said the hospitals were victimized by the thefts of their patient records, but they also may face potential federal civil and criminal liability under HIPAA for failure to protect the confidentiality and privacy of medical records as they are required to do.
They said the Office for Civil Rights may have the authority to investigate and issue civil monetary penalties for HIPAA violations, and the Justice Department would be responsible for investigating and assessing criminal penalties.
Healthcare lawyers, citing the ongoing investigation, would not speak about specific examples. Attorney Bruce Fried, of the Washington office of Sonnenschein Nath & Rosenthal, said if the hospital failed to offer training and education to employees as required by HIPAA, it could be held legally accountable under HIPAA for the alleged records sales.
"A solid compliance program is a strong protection," Fried said.
Mark Lutes, a lawyer with the Washington office of Epstein Becker & Green, said that under HIPAA's civil penalty section, a hospital could be considered in violation of the law without knowing about the employee's alleged illegal activity. The criminal portion of the law, however, does require the government to prove that the charged parties knew about the violations. Criminal penalties are significantly higher than the civil fines and include potential imprisonment of up to 10 years.
Robert Gellman, a privacy consultant in Washington, said selling patient information to private investigators and personal injury lawyers is not new. "I think it's about time somebody's investigating it," he said. But he was skeptical about whether federal authorities would get involved, he said.
"Few people have been prosecuted for this, and the government has a spotty record in prosecuting medical record theft," he said. "But HIPAA might offer the feds a tool they've been needing."
Risk management consultant Jill Callahan Dennis, who is a board member of the Chicago-based American Health Information Management Association and a principal at privacy consultancy Health Risk Advantage in Parker, Colo., said when it comes to the illegal behavior of their employees, hospitals are in a difficult spot.
"It's almost impossible to protect yourself from someone intent on breaking the law, despite whatever training and education they've received and compliance programs are in place," she said.