As security experts, we have long understood that serious violations of the Health Insurance Portability and Accountability Act (HIPAA) can lead to costly fines and even jail time. Many professionals may believe that a misdemeanor is only punished with a warning and a fine, however the example below, will show you otherwise.
Consider the example of Huping Zhou. Zhou was working as a medical researcher at the UCLA School of Medicine in 2003. In late October 2003, Zhou received a notice that he was going to be terminated in three weeks based on his job performance (unrelated to any privacy violations). During the following three week period, Zhou accessed the organization’s electronic health records system and viewed medical records of his supervisors, co-workers and celebrities without a legitimate or authorized reason.
In April 2010, Zhou pleaded guilty to four misdemeanor counts of accessing and reading confidential medical records. As a result, he was fined $2,000 and sentenced to four months in jail. With that sentence, Zhou became the first person in the United States to receive jail time for a minor HIPAA breach.
The surprising fact for most medical and legal experts was the severity of the sentence as Zhou didn’t sell or profit by accessing this information – he only viewed it. This ruling clearly demonstrates that the legal system is serious about enforcing and punishing all types of HIPAA violations, not only ones with malicious or criminal intent.
Given the seriousness of HIPAA enforcement, what should you being doing to ensure compliance?
•Employ a security officer or manager who is responsible for maintaining and enforcing HIPAA-compliance standards.
•Train new hires on secure information handling practices that are HIPAA-compliant.
•Limit access of confidential records to only those who require it.
•Facilitate regular training sessions to keep employees up to date on HIPAA legislation.
•Develop an incident response procedure in the event of a breach.
•Dispose of confidential information securely by shredding it once retention periods are met.