The sentencing of the first person convicted of violating the Health Insurance Portability and Accountability Act isn't likely to deter similar misconduct, health lawyers said, but it offers government prosecutors another weapon with which to punish violators and shows that the previously untested law works.
On Nov. 5, a Seattle federal judge sentenced a former laboratory technician and phlebotomist to serve 16 months in prison and pay $9,000 in restitution in the first criminal conviction under HIPAA's privacy provisions, U.S. Attorney John McKay said. U.S. District Judge Ricardo Martinez sentenced Richard Gibson, 42, for violating the 1996 law that prohibits the wrongful disclosure of individually identifiable healthcare information for financial gain. HIPAA's healthcare privacy provisions took effect in April 2003.
The Seattle Cancer Care Alliance, a collaboration among the University of Washington Medical Center, Fred Hutchinson Cancer Research Center, and Children's Hospital and Regional Medical Center, employed Gibson from November 2001 until he was fired in February 2003. He pleaded guilty in August to stealing cancer patient Eric Drew's personal identification information to obtain credit cards and charging more than $9,000 in Drew's name.
"After this I don't leap to the conclusion that providers will be more susceptible to criminal prosecution for routine disclosures of personal health information because of the acts of their employees," said Mark Lutes, a lawyer with Epstein Becker & Green's Washington office.
"The more appropriate question is did the hospital or other provider apply the proper technical safeguards? How did the HIPAA-covered entity analyze its risk of the threat of identity theft?" Lutes asked. "We see heightened sensitivity to the security of individually identifiable healthcare information everywhere in the market and to that degree, the law has been successful."
American Hospital Association spokesman Richard Wade said the Seattle incident wasn't just a HIPAA violation "but a serious crime compounded only by the vulnerability of the patient. That activity is so extreme. I don't know whether the law will have much of a deterrent effect on people who do that. But it shows that when these things do occur, the government will deal with them swiftly and severely."
Wade said the most common violations are unintentional invasions of patient privacy.
"Casual conversations overheard, leaving patient charts on walls where visitors can see them, posting surgery schedules where non-staff can see them," Wade said. "These are the everyday HIPAA problems that concern hospital executives."
The judge called Gibson's actions "a vicious attack on someone fighting for his life" and exceeded the recommended one-year sentence.
Bruce Fried, a lawyer with the Washington office of Sonnenschein Nath & Rosenthal, said Gibson's actions are "the exact kind of behavior HIPAA was intended to go after. It also reminds us that greed and stupidity are alive and well, and that greedy, stupid people will continue their schemes, even if a well-intentioned law is aimed at deterring them."