A Seattle man recently pled guilty in the first criminal conviction under the Health Insurance Portability and Accountability Act (HIPAA) that went into effect a year ago.
In the case, an employee of a Seattle cancer center, Richard W. Gibson, stole information about a cancer patient. Gibson used the patient's name, date of birth, and Social Security number--all identifiable health information as defined by HIPAA--to obtain four credit cards with which he spent more than $9,000.
According to the plea bargain entered into the United States District Court in Seattle, Gibson's offense violated HIPAA by meeting four conditions. Gibson "disclosed to another person individually identifiable health information." He made the disclosure knowingly, and for a purpose other than that permitted by the law. And he disclosed the information with the intent to use this information for personal gain.
Under the terms of the plea agreement, Gibson faces up to 10 years in prison (the prosecutors recommended 10 to 16 months) and a fine of up to $250,000. He also must pay restitution to the victim and repay the credit card companies.
Benjamin T. Butler, counsel with the Washington, D.C., law firm Crowell & Moring LLP's Health Care Group, says that he finds this case particularly interesting because it shows that prosecutors are eager to remind businesses that HIPAA has teeth. "It appears that this person could have been prosecuted under a number of other statutes," Butler says, but prosecutors chose HIPAA. They wanted "to send a message that this authority is out there, and people shouldn't forget about it."
The case had another interesting wrinkle, Butler says. "The information that was provided [by Gibson] was name and Social Security number, not what you would typically think of as the paradigm case under HIPAA, which would be disclosing somebody's diagnosis or something to that effect."
While the type of information disclosed by Gibson is covered under the statute, Butler points out that it could have been just as easily stolen if Gibson worked at a bank or insurance company. The fact that he worked for a hospital "just made it more aggravating because the [victim] was suffering from cancer and added to the deal for the prosecution."