Congress passed the Health Information Portability and Accountability Act (HIPAA) in 1996. This federal regulation was aimed at maintaining the privacy of medical records while ensuring the smooth flow of medical information pertinent to patient care. Penalties assessed for violations of the HIPAA Act mostly involve financial penalties (between $25,000 per violation up to $100,000 per violation). Congress also included criminal penalties for violations of HIPAA rules enacted under 42 U.S.C. § 1320d-6, and those criminal penalties carry up to 10 years in prison.
Over the past five years, the pace of electronic breaches of protected health information (PHI) has accelerated. Not one day passes without news of a medical facility, health network, or health insurer being the victim of a data breach. Technically, all these data breaches constitute violations of HIPAA. Yet because of their frequency, special mechanisms of reporting have been enacted by government agencies enforcing HIPAA. Entities subjected to electronic breaches leading to the unauthorized access to PHI for a large number of patients now report these breaches publicly and move on without any repudiation or punishment.
In 2024, UnitedHealth Group, which purchased Change Healthcare in 2023, was affected by a large data breach where PHI was stolen by hackers through the ransomware process. It was reported that UnitedHealthcare paid tens of millions of dollars to the hackers, who, in a sardonic twist, quibbled amongst each other, with some claiming that other hackers who were paid absconded with the ransom and did not pay them. We have recently learned that the breach was the largest in recorded history, as it involved the PHI of some 191 million Americans. The lax computer security protocols during the transition of Change Healthcare to the ownership of UnitedHealth Group were thought to be the source of this significant data breach. It is ironic that those of us still seeing patients receive periodic mailings from Change Healthcare advising us about our billing and coding performance, despite Change Healthcare not being able to keep patient PHI secure. To date, there has been no accountability or civil or criminal charges filed against any person or entity responsible for many breaches over the last five years.
Unfortunately, what is good for the goose is not good for the gander. Physicians have been on the receiving end of criminal prosecutions for HIPAA violations. In 2010, Huping Zhou, MD, became the first person to be sentenced to jail in relation to a HIPAA violation. Dr. Zhou, a cardiothoracic surgeon in China, was working as a researcher at UCLA. He was accused of accessing the medical records of his supervisors and colleagues, as well as reviewing the medical records of many celebrities without any specific medical need. He pleaded guilty and served four months in jail but went on to return to private practice as a family practitioner in Virginia.
In 2018, a Massachusetts gynecologist, Dr. Rita Luthra, was found guilty of a criminal violation of the HIPAA privacy rule. Dr. Luthra was accused of providing a pharmaceutical sales agent with access to PHI to assist with pre-authorizations related to insurance approvals of prescription medications. After being found guilty at trial, Dr. Luthra lost her medical license but was spared jail time after the judge sentenced her to one year of probation in consideration of her long career serving deprived communities in western Massachusetts. While technically, Dr. Luthra’s action was a violation of the HIPAA rules, it was only because there was no business associate agreement with the pharmaceutical representative that would have ensured compliance with the HIPAA privacy rule.
Most recently, surgery resident Eithan Haim, MD, was indicted and charged criminally for HIPAA violations after he provided a reporter with medical records of children receiving gender transition-related care at Texas Children’s Hospital in Houston, Texas. Dr. Haim maintained that no laws were broken because no PHI was disclosed. This case caused a significant uproar because Dr. Haim was identified as a whistleblower against Texas Children’s Hospital, which had publicly stated it would end providing gender transition care services. Nonetheless, the records disclosed by Dr. Haim, without any PHI, revealed that the hospital was continuing to provide the gender transition care it claimed to have stopped. As a consequence of his prosecution and the issues he revealed, Texas passed an outright ban on transition-related care for minors. On January 24, 2025, a few days into the new administration, the Department of Justice decided to dismiss the indictment against Dr. Haim with prejudice, ending his prosecution for criminal HIPAA charges. The dismissal was a consequence of an executive order signed by President Donald Trump, who had pledged to end the weaponization of the justice system.
The HIPAA privacy rule as a regulation and law has become a toothless and meaningless regulation. Given the extent and breadth of data breaches over the past few years, experts estimate that the protected health information for most adults who live in the U.S. is available on the dark web. This information includes full details of patients’ names, addresses, dates of birth, and Social Security numbers. If you’re reading this, there is close to an 85 percent chance that your protected personal health information is available for someone to exploit.
There has been little attention or protest drawn to the fact that only physicians have been clearly prosecuted for criminal HIPAA violations, while executives in hospitals and health insurers have recklessly and potentially criminally neglected to enforce their security protocols, leading to data breaches. It is interesting that no one has been held accountable for any of these breaches, as organizations that recklessly neglected their computer systems notify the affected patients and move on unblemished and unscathed. The justice system has held physicians responsible when there is a HIPAA violation. Health system executives, as well as health insurance executives, need to be held to the same standard and be accountable and responsible for these breaches; otherwise, the security of protected health information will continue to deteriorate.
Muhamad Aly Rifai is a practicing internist and psychiatrist in the Greater Lehigh Valley, Pennsylvania. He is the CEO, chief psychiatrist and internist of Blue Mountain Psychiatry. He holds the Lehigh Valley Endowed Chair of Addiction Medicine. Dr. Rifai is board-certified in internal medicine, psychiatry, addiction medicine, and psychosomatic medicine. He is a fellow of the American College of Physicians, the Academy of Psychosomatic Medicine, and the American Psychiatric Association. He is the former president of the Lehigh Valley Psychiatric Society.
He can be reached on LinkedIn, Facebook, X @muhamadalyrifai, YouTube, and his website. You can also read his Wikipedia entry and publications.
