Ignorance no defense in HIPAA criminal violations, say feds

Just because pharmacists or pharmacies don't know that certain actions are prohibited by the Healthcare Insurance Portability & Accountability Act doesn't mean they can't be brought up on criminal charges for violations, according to a ruling issued by the U.S. Department of Justice (DOJ).

Covered entities, including pharmacies and pharmacists, can be prosecuted if they are aware of the facts that constitute a HIPAA criminal offense, even if they do not know that what occurred was prohibited by the rules. In other words, ignorance of the HIPAA law regarding criminal offenses is no defense against prosecution, according to the DOJ attorneys.

Not every violation of HIPAA will incur the wrath of the federal prosecutors. Some violations are civil in nature and ignorance of the rule is a defense, according to the opinion. But the law does set forth the specific actions that can be criminally prosecuted. A person who "knowingly and in violation" of the law uses or causes to be used a unique health identifier, obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information to another person shall be punished as provided in the law, according to the DOJ.

"Let's say you're a pharmacist who never heard of the rules and you talk about one of your patients with a friend," he said. "You disclose information about Mrs. Smith taking Prozac. You knowingly disclosed the information to someone who didn't have a legitimate reason to get it. You could be criminally prosecuted even though you didn't know you were violating the HIPAA privacy rules. It's hard enough to be prosecuted for violating a very confusing rule; it would be even worse if the feds said, 'We don't care whether you know what the rules are, we're still going to prosecute you for violating them."'

The ruling was issued at the request of the general counsel of the Department of Health & Human Services and the senior counsel to the deputy attorney general. The officials wanted to clarify the criminal enforcement provisions of HIPAA, which carry fines of up to $250,000 and imprisonment of up to 10 years.

The portion of the DOJ ruling that captured media attention centered on the opinion related to letting some employees or outsiders off the hook for federal criminal charges for stealing protected health information (PHI). The federal attorneys reasoned that HIPAA applies only to covered entities such as hospitals and healthcare providers, and they alone can be prosecuted for violating the rules. The ruling undercuts the government's only successful HIPAA criminal prosecution, in which an employee of a hospital consortium pleaded guilty to stealing a patient's identity using PHI.

Just because an employee's actions won't trigger federal prosecution doesn't mean the crime will go unpunished, said Bell. There's al ways the possibility of criminal prosecution by the state, and the victim of the PHI misuse could always sue the perpetrator, he added.

Whether an employee's actions are prosecutable gets a little murky under the ruling. If an employee committed the violation outside the scope of his duties, he wouldn't face federal charges. For example, a pharmacy clerk rifling through files to find someone's name and Social Security number to steal an identity would be outside the scope of his duties, said Bell, and not face federal prosecution. However, he added that the pharmacy might face criminal charges if it didn't meet the HIPAA standards, such as if PHI was left lying around or if access was given to employees who didn't need it to do their job.

"If a pharmacy hasn't violated the rules because it did the training, kept files locked, and followed the regulations, the fact that some employee went beyond his or her job description and stole information should not make the pharmacy liable," Bell added.