August Goes Out with a Bang: Stage 2 Final Rule & HIPAA Arrest

August ended in a whirlwind of federal activity, with CMS and OCR publishing the long-awaited Meaningful Use Stage 2 Final Rule and its accompanying Standards & Certification Criteria.  And, as if Stage 2 wasn't enough excitement, the FBI arrested a former hospital employee for a solicitation scheme involving improper access to and sale of emergency department patient records.

Much dissected since their release on August 22 by CMS and OCR, the Meaningful Use Stage 2 Rules brought few surprises to those familiar with the Notices of Proposed Rulemakings (NPRMs) released back in March. In addition to formally delaying Stage 2 to 2014, the Final Stage 2 Rule limits the reporting period to 90-days for 2014 for ALL providers REGARDLESS of the Stage they are in.

While CMS took into consideration, and incorporated some revisions as a result of, public comment, the majority of the NPRMs carried over into the Final Rules (see my previous post on the Stage 2 NPRMs).  EPs now must report on 17 core and 3 out of 6 menu objectives, while hospitals and CAHs must report on 16 core and 3 out of 6 menu objectives.  Likewise, EPs must report on 9 out of 64 CQMs, and hospitals and CAHs report on 16 out of 29 CQMs.   The majority of Stage 1 menu objectives and measures became core, and several Stage 1 core objectives and measures were consolidated into a single objective and measure(s), or eliminated (for example, "exchange of key clinical information" eliminated in favor of a new and more robust "transitions of care summaries" objective). 

Public comments highlighted the concerns many providers had with new Stage 2 patient engagement requirements: those requiring patients utilize secure messaging with their providers (EPs) and online access to, viewing, and downloading of health information (EPs, hospitals and CAHs).  Although the requirements were not eliminated, CMS reduced the associated measure thresholds from 10% to 5%.  In addition, CMS reduced the measure thresholds of certain other objectives, including for electronic exchange of summary care records.  Another area of concern reflected in the public comments, the electronic exchange of summary care records objective was also modified by CMS in response to such concerns to require at least one successful electronic exchange to a different EHR technology or a successful test with a CMS designated test EHR during the applicable EHR reporting period. 

CMS has released several tipsheets and guidance documents to help EPs, hospitals and CAHs participating in the Medicare and Medicaid EHR Incentive Programs in understanding the new requirements for Stage 2, as well as those amendments to certain Stage 1 requirements. Additional information regarding Stage 2 can be found on CMS' new Stage 2 webpage.   

To add to August's excitement, a former employee at Florida Hospital's Celebration Health was arrested by the FBI for accessing patient emergency department records and selling those related to motor vehicle accidents.  According to the FBI criminal complaint, the former employee was fired back in July 2011, but for an unrelated incident involving accessing without authorization the medical records of a physician who had been shot and killed in a Florida Hospital parking garage.

However, prior to his termination with Celebration Health, the former employee, Dale Munroe (along with his wife and a co-worker) improperly accessed over 750,000 patient emergency department records at the various Florida Hospital locations, allegedly then selling those records that related to a car accident to an entity, S.K.  In turn, S.K. would sell the information to an entity or entities that solicited and referred patients for chiropractors and attorneys.  Patients whose information was allegedly sold would receive a phone call shortly after their emergency department visit. 

After Munroe was terminated, his wife and co-worker continued to access patient records.  After the hospital was notified by an employee who had received a solicitation call, the wife and co-worker were also fired, and a breach reported in 2011.  While the hospital was conducting audits in response to the breach, it discovered the depth of Munroe's actions prior to his termination.  Since then, the actions of these three individuals have been under investigation. 

Munroe is the only one who has been arrested so far. The complaint alleges violations of the criminal provisions of HIPAA at 1320d-6(a) and 1320d-6(b)(3) for intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, which carries with it a fine of not more than $250,000, imprisonment of not more than 10 years, or both.  While over 750,000 records were improperly accessed, only approximately 12,000 records are believed to have been viewed in depth and sold. 

Will HIPAA Conviction Appeal Loss Open the "Zhou" Gates?


This post is prepared by Christopher Dodson. 

Readers of this blog are probably familiar with the case of Dr. Huping Zhou, who was successfully prosecuted for violating HIPAA's privacy protections.  Zhou accessed the patient records of celebrities and coworkers more than three hundred (300) times over the course of several months, including four times after he was fired. The case is notable, in part, because Zhou's actions were not part of a broader criminal conspiracy. He was not defrauding the government or engaging in identity theft but was merely reading patient records as a matter of curiosity. When he appealed his conviction, the Ninth Circuit ruled that HIPAA's wrongful disclosure provision does not require intent to break the law.

One of the interesting details of the case was that while Zhou accessed several hundred records, he was only charged for the four records he accessed after he was fired. Why did the Department of Justice not charge him for accessing the other records while he was employed?

§ 1320d-6 of HIPAA prohibits anyone from knowingly accessing individually identifiable health information from a covered entity without authorization.

The answer to why Zhou was only charged with four counts may lie in the phrase "without authorization." It is possible that since DOJ was already breaking new ground by prosecuting him for accessing records without criminal intent, they did not want to add a second novel issue in whether he had sufficient authorization while he was employed. 

But now that DOJ has established that criminal intent is not required to violate HIPAA's wrongful disclosure provision, is it possible that the next person in Zhou's position could be charged for inappropriately accessing records while employed?

There is an interesting parallel with the Computer Fraud and Abuse Act. As with HIPAA, the CFAA prohibits certain actions when they occur "without authorization," a phrase which is undefined. There is ongoing debate over what qualifies as authorization for purposes of the CFAA and a split has developed among the circuit courts over a theory relating to authorization for employees. The theory holds that when an employee violates the duty of loyalty, her authorization is canceled as a matter of law even while she is still employed. Under this theory, if an employee has authorization to access a computer system then violates the duty of loyalty and engages in actions prohibited under the CFAA, a court may rule that her authorization to use the computer system was terminated as a matter of law at the time of the offense. In other words, as far as the employee and her employer are concerned she is an authorized user. But sometime later the legal system determines otherwise, leaving her liable under the CFAA.

Because there is a split among the circuit courts, many observers think the issue will wind up before the Supreme Court. If the Supreme Court affirms canceling authorization retroactively based on an employee's actions, it is not a stretch to imagine DOJ developing an argument that the authorization of someone like Zhou was terminated as a matter of law prior to being fired. This would enable DOJ to charge the defendant with all of the record views that occur after the authorization-terminating event.

Christopher is a former software developer and current J.D. candidate at the Earle Mack School of Law of Drexel University.  He is working with the Attorneys at Oscislawski LLC as a summer intern.

Doctor Faces Criminal Charges for Wrongful Disclosures under "False Pretenses"

Tripping on the heels of the HIPAA criminal charges against Chelsea Catherine Stewart for theft of patient information, (see my previous post on June 14, 2011), a physician was indicted June 21, 2011 on three counts of HIPAA violations in the U.S. District Court for the Eastern District of Virginia.  Dr. Richard Alan Kaye, a licensed osteopath and board certified in psychiatry, was formerly the medical director of the Psychiatric Care Center at the Sentara Obici Hospital in Suffolk, Virginia, and had treated the patient whose individually identifiable health information was allegedly disclosed without authorization.

According to the U.S. Attorney's Office for the Eastern District of Virginia, Dr. Kaye had provided in-patient mental health treatment to a patient and upon the patient's discharge in September of 2007, he had indicated in the discharge summary that the patient was not a danger to others.  Despite this, in February of 2008, Dr. Kaye disclosed information on three occasions to an agent of the patient's employer under "false pretenses" that the patient was a serious and imminent threat to the safety of the public.

According to the Virginia Board of Medicine, the Board had already investigated the incidents and fined Dr. Kaye $5,000 for "one patient case of releasing confidential information and breach of confidentiality" in May 2010.  He was placed on probation until he completed eight hours in professional ethics.  Dr. Kaye's license was restored by the Board on October 4, 2010 after compliance with the terms of his probation.

What makes this indictment against Dr. Kaye unique among previous HIPAA criminal prosecutions, however, is that it alleges false pretenses for wrongful disclosures made to an employer.  As it is unclear what the motive for Dr. Kaye's actions was in disclosing the information to the employer, one has to wonder what the "trigger" was that led to the FBI's involvement and U.S. Attorney's criminal charges.  Criminal prosecution under HIPAA is still a rare, albeit increasing occurrence, especially in comparison to the number of HIPAA violations investigated by OCR each year.

Under § 1320d-6(b)(2), Dr. Kaye could face a fine of up to $100,000 and up to five years in jail if convicted of disclosing the information under "false pretenses."  Dr. Kaye is scheduled to be arraigned on July 13.  A copy of the press release can be found here.  

Hospital Theft Leads to HIPAA Criminal Charges

An Alabama woman has been slapped with criminal charges in connection with the theft of patient information from Trinity Medical Center in Birmingham, Alabama, as reported by The Birmingham News.  Section 1320d-6 imposes criminal penalties where any person knowingly uses a unique health identifier or obtains or discloses individually identifiable health information in violation of HIPAA. 

The young woman, identified as Chelsea Catherine Stewart, allegedly stole paper surgery schedules from a closed patient registration area at the hospital while visiting a patient.  Stewart was arrested the beginning of June after hundreds of pages of the schedules were found in the house where she was staying by police in connection with an ongoing investigation for mail theft and credit card fraud.   

The schedules contained the names, dates of birth, social security numbers and certain medical information of approximately 4,500 patients of the hospital.  In addition to the patient information, an affidavit by postal inspector John Bailey stated there were handwritten notes with information of other individuals which could be used for identity theft and a "to-do" list of sorts for fraud.  Notes allegedly read, "Get hospital records together and run credit reports on people to get info."  

The notice of the theft on Trinity Medical Center's website states,

"All stolen information has been recovered....The hospital has no reason to believe this information has been or will be used in a way that would cause harm." 

However, Trinity Medical Center will be offering free credit monitoring for those affected patients.  In addition to the notice on its website, the hospital also notified affected individuals of the theft by mail.

If convicted, Stewart could face the maximum criminal penalties under §1320d-6 for "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" and up to 10 years in jail and $250,000 in penalties.  Stewart also faces unrelated charges of credit card fraud and breaking into a vehicle.