Yesterday, it was announced that a former employee of UCLA Medical Center was indicted by a federal grand jury for allegedly selling the medical information of Farrah Fawcett and other celebrity patients to the media. The indictment states that Lawanda Jackson, an administrative specialist at the hospital, received at least $4,600 from an undisclosed publication. The indictment charges Ms. Jackson with the most severe type of HIPAA violation, punishable by fines of up to $250,000 and/or a felony conviction with 10 years in jail.
Criminal prosecutions under HIPAA are rare, and typically involve egregious situations such as this one. For example, Richard Gibson, an employee of the Seattle Cancer Care Alliance, pled guilty in 2004 to a criminal HIPAA violation after he used a cancer patient's personal information obtained as a caregiver to obtain credit cards in the patient's name. The HIPAA enforcement regulations make clear that covered entities (i.e., health plans, hospitals and physician organizations) are primarily liable for HIPAA violations, not individual employees or managers. However, in a June 2005 opinion issued by the Department of Justice, through its Office of Legal Counsel, the DOJ stated its view that other third parties, including individuals, may be prosecuted under HIPAA under aiding and abetting or conspiracy theories of liability.
A spokesman for the U.S. attorney's office in Los Angeles stated that the investigation is continuing and additional defendants may be charged, including the media outlets involved. This is where it gets really interesting. It's possible that media outlets may be charged in this case under an aiding and abetting or conspiracy theory. Such an approach would likely posit that one or more media outlets paid Ms. Jackson with the intent to cause her to violate the HIPAA privacy regulations (and perhaps other California medical privacy laws), thus aiding and abetting a violation of HIPAA. These sorts of charges, if they are brought, could prompt a fascinating debate about where the line should be drawn between the appropriate investigative role of the press and the practices of tabloid publications that actively seek (and pay for) information about celebrity patients. For members of the Hollywood community seeking to curb the excesses of the tabloid media, it's possible that HIPAA may provide an unlikely, but powerful, weapon.
