An ex-employee of UPMC Shadyside Hospital in Pittsburgh was charged in a 14 count indictment.  According to United States Attorney’s Office Western District of Pennsylvania:

According to the indictment, in February 2008, Pepala, then employed at UPMC Shadyside Hospital,  disclosed to others names, birth dates and Social Security numbers of patients for personal gain, in violation of federal HIPAA laws, and disclosed Social Security numbers to other persons without their authorization. This information was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers in violation of federal law.

The law provides for a maximum total sentence of 80 years in prison, a fine of $4,730,000, or both. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offenses and the prior criminal history, if any, of the defendant.

There have been very few case of HIPAA violations that have resulted in prison terms.  If he is found guilty and does receive a prison term, it will send a powerful message.  HIPAA violations are serious offenses. Accessing and selling Electronic Protected Health Information (EPHI) for personal gains should be prosecuted.  With the changes to HIPAA as a result of the HITECH Act, we may see more enforcement, higher penalties and more prison terms for offenders.  All would be good steps in the right direction to protecting patient information.

There is a very good article over at AIS’s Health Business Daily that discusses HIPAA and HITECH violations.  With the signing of the HITECH Act as part of the ARRA stimulus bill, the penalties for HIPAA violations have increased dramatically.  The HITECH Act has also increased the enforcement of HIPAA regulations.

A privacy breach due to “willful neglect” that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million

Covered entities (CEs) — and also business associates, who are now subject to civil and criminal penalties as of this month — need to know what actions (or lack thereof) can push them into the “willful neglect” category, which carries the most severe fines. They may be surprised to learn that routine inaction or procrastination by busy organizations could be categorized as enormously costly willful neglect.

The interim final rule regarding enforcement, published in the Oct. 30, 2009, Federal Register, uses the same language as the previous enforcement rule, stating: “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”

Where it gets really interesting is the description of “Willful Neglect”

The most obvious demonstration of willful neglect would be when a covered entity has no preventative policies and procedures in place and a breach occurs. Annulis notes that seven years into HIPAA compliance, it’s unlikely that a CE or BA would have no formal protocol.

Greg Young, the privacy officer at Mammoth Hospital in California, however, believes that many small doctors’ offices and clinics still lack policies and procedures because they “don’t feel it’s necessary or don’t want to spend the money. They just want to take care of their patients, not realizing that part of taking care of patients is taking care of their information.”

If you think that just writing policies and procedures will help avoid willful neglect then read on.

“The greatest danger” for an organization, according to former director of OCR Richard Campanelli, now an attorney with Baker & Daniels LLP, is having policies and procedures that no one is enforcing and that employees are not educated about. “A policy on a shelf is not going to be very helpful — it won’t be helpful in protecting privacy and security, and it won’t be helpful in responding to an investigation,” he says. Once a violation occurs, the fact that the policy exists signals to OCR that the organization knows what it should be doing and has chosen not to comply.

The take away from this article is that you need to have policies and procedures in place for both the HIPAA Privacy and Security rules.  These policies and procedures need to be enforced and communicated to all employees.  I would tend to guess that a lot of practices have policies and procedures in place for the Privacy rule.  Practices will need to develop policies and procedures that comply with the Security rule as well.  This is especially true as practices start to create electronic patient health information (ePHI) through the implementation of an EMR, digital x-rays, electronic lab results, billing information, scanned consent forms, etc. The increased use of technology such as laptops, remote access, email, portable disks and smartphones will also require the appropriate policies and procedures. 

Here is a final thought that might keep you up at night.  Imagine a spreadsheet with financial and demographic information of 250 patients that was saved unencrypted on a laptop.  The laptop was taken home by the billing manager and was stolen out of her car.  Did you have a policy and procedure which prevented her from taking the information?  Was it enforced?  Was it communicated to all employees?  Is this an unfortunate HIPAA violation or is this willful neglect?