Office of Inspector General Files Criminal Charges for a HIPAA Breach
The Office for Civil Rights may be the main overseer of Health Insurance Portability and Accountability Act enforcement, but it is not the only organization that can take action over HIPAA violations. The Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services also investigates improper accessing of medical records and it can file criminal charges for a HIPAA breach.
The OIG has recently filed criminal charges for a HIPAA breach against a former East Texas hospital worker who is alleged to have inappropriately accessed patient health records during the time he spent working at the hospital. Between December 1, 2012 and January 14, 2013 the unnamed employee – from an unnamed East Texas healthcare facility – accessed numerous records and copied this data for personal gain, according to the OIG.
The OIG conducted an investigation into the HIPAA breach with assistance provided by the U.S. Postal Inspection Services, and together they determined that criminal activity had taken place. The individual now faces criminal charges for a HIPAA breach, for improperly accessing medical records and for wrongful disclosure of individually identifiable health data. In this case the penalty is a jail term of up to 10 years, although if it can be established that the information has been used to commit fraud, the sentence can rise to 20 years. The jail term may even be accompanied by a financial penalty.
In many cases, employee snooping is punished by the organization concerned by terminating the employment contract of the employee in question. In some cases however, such as when information is accessed for personal gain, criminal charges for a HIPAA breach are more appropriate. The OIG is currently taking a particularly hard line on data theft and appears to be attempting to set an example in cases such as this. The message is clear. Access PHI inappropriately and it is not just a job that will be on the line. Hard time in jail is also a real possibility.
OIG Critical of the Office for Civil Rights
The OIG has been highly critical of the Office for Civil Rights in the past with regards to the enforcement actions the office has taken against offenders and inconsistencies in its investigation process. In late 2013, the OIG prepared a damming report on the OCR, criticizing the office for its failure to conduct compliance audits. The OIG pointed out the HIPAA compliance audits should be conducted periodically to check for compliance issues, yet the OCR was only conducting audits in response to security breaches.
The OIG said that the OCR had “missed Opportunities” to encourage covered entities to strengthen security measures, while the methods used to investigate were also slammed. The OIG pointed out that out of a total of 60 investigations; the OCR had failed to follow its own procedures in 29 of those investigations. The OIG found that there was missing documentation in 29 of those audits. The report does appear to have had some effect. Since it was issued, enforcement actions have increased at the OCR.