Tuesday, September 28, 2010
HealthcareInfoSecurity.com's Howard Anderson and others last week covered an indictment filed in Pennsylvania against a man who allegedly used his authorized access (as a hospital employee) to patient records to steal names, dates of birth, social security numbers, and other personal data from patient health records and using them to file false tax returns. Much of the reporting on the incident has focused on the HIPAA violations of the alleged actions, the HITECH-strengthened criminal and civil penalties for which could theoretically result in millions of dollars in fines and a lengthy prison sentence. While the HIPAA-based prosecution is certainly noteworthy, the facts of the case as reported in the media suggest that the man has likely also violated federal and Pennsylvania identity theft laws, including the Identity Theft and Assumption Deterrence Act and section 4120 of the Pennsylvania Crimes Code (18 Pa. Cons. Stat. §4120), and could therefore be subject to additional charges and penalties under the authority of the FTC and other government agencies. Under enhanced civil and criminal enforcement provisions enacted with HITECH, the potential clearly exists for prosecutions for HIPAA violations to become routine, in market contrast to the almost complete absence of such prosecutions under HIPAA in the past.
Posted by Steve Gantz (Security Architecture) at 2:53 PM