Since HIPAA went into effect in 2003, more than 34,000 complaints of privacy violation have been filed. Most complaints (about 80%) were resolved. Many were simply dismissed. Often, a warning was issued or the matter was pursued in civil court.
About 400 of the unresolved cases have been referred to the federal Department of Justice, but only a handful have been prosecuted. This is likely to change, however, as violations are taken more seriously and as the government gears up for these types of cases.
While some HIPAA violations are inadvertent—a stolen laptop with patient records on it, for example—Ms. A’s actions struck at the heart of what HIPAA is supposed to avoid. She accessed patient records; gathered information; and then provided that information to someone else, knowing it would be used in a way that was harmful to the patient. Her prosecution was meant to set an example and warn HIPAA-covered entities that the regulation is serious and must be upheld.
Ms. A’s actions could have put the clinic itself in danger of prosecution, but management handled the situation in the best way possible. Her supervisor fired her on the spot after the patient notified him of the breach. Then, without delay, Dr. P called a meeting to educate staff members—both clinical and clerical—about HIPAA’s provisions, their purpose, the importance of patient privacy, and what can happen in the event of a violation. As an employer, it is essential that you not wait for an incident to occur.
The best way to protect yourself is to ensure that your employees understand HIPAA regulations. Educate your employees upon hire and periodically thereafter. Keep written records detailing clinic policy and include it in all employee manuals or handbooks. In this way, you will protect both yourself and your employees.
Ms. Latner, a former criminal defense attorney, is a freelance medical writer residing in Port Washington, N.Y.