First Criminal Case Conviction Under HIPAA

    On August 19, 2004, the U.S. Attorney’s Office for the Western District of Washington announced that it entered into a plea agreement with Richard W. Gibson in U.S. v. Gibson. Gibson pleaded guilty in federal court to wrongful disclosure of individually identifiable health information for economic gain, a violation of 42 USC 1320d-6. This is the first criminal conviction under the Privacy Rule of the Health Insurance Portability and Accountability (“HIPAA”) which has been in effect since April 14, 2003.

    In the Plea Agreement, Gibson admitted to obtaining a cancer patient’s name, birth date and social security number and then using that information to obtain several credit cards. Gibson also admitted to making purchases of various items, including video games, jewelry, clothing, home improvement supplies, gasoline and groceries, in excess of $9,000 with those credit cards. At the time of the unlawful use and disclosure, Gibson was an employee of Seattle Cancer Care Alliance where the patient was being treated.

    Gibson has agreed to pay the credit card debt, as well as the patient’s expenses incurred as a result of Gibson’s use of the patient’s identity. The Plea Agreement recommends a sentence of 10 to 16 months. A hearing is scheduled for early November in the U.S. District Court where a Judge Ricardo S. Martinez will determine whether to accept the Plea Agreement. If the Court accepts the Plea Agreement, it may order that Gibson serve his sentence in federal prison, or in a combination of federal prison and either home or community confinement. If the Court rejects the Plea Agreement, Gibson may withdraw his guilty plea.

    The Gibson case is noteworthy for two reasons: first, it is the first criminal conviction under HIPAA. Second, it makes clear the Department of Justice’s position that the Privacy Rule can apply to members of a covered entity’s workforce, not just the covered entity itself. A “covered entity” includes health care providers who submit certain electronic transactions, health plans and health care clearinghouses. Under the Privacy Rule, the workforce of a covered entity includes employees, volunteers and, in the absence of a business associate agreement, independent contractors under the direct control of the covered entity.

    While HIPAA does not create a private right of action, it allows for the imposition of both criminal and civil penalties for violations. HIPAA includes varying degrees of criminal penalties depending on the nature of the offense. On the lighter end, a defendant may be fined not more than $50,000, imprisoned not more than one year, or both. If the offense was committed under false pretenses, a defendant may be fined not more than $100,000, imprisoned not more than five years, or both. If the offense was committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain (as in the case of Gibson) or malicious harm, a defendant may be fined not more than $250,000, imprisoned not more than 10 years, or both.

    The Office of Civil Rights for the Department of Health and Human Services (“OCR”) is charged with civil enforcement of the Privacy Rule. OCR investigations are prompted by complaints from individuals who believe the privacy of their individually identifiable health information has been violated. Complaints must generally be filed within 180 days of the privacy violation, however, OCR will accept complaints after that 180-day period of the individual can show good reason why the complaint was submitted after such time period. While OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year for each violation, its goal is to help covered entities become compliant with the Privacy Rule.

    The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2023.