Subscribe to The Podcast by KevinMD. Watch on YouTube. Catch up on old episodes!
Practicing internist and psychiatrist Muhamad Aly Rifai discusses his KevinMD article, “The criminal enforcement of HIPAA.” In this episode, Muhamad delves into the escalating electronic breaches of protected health information and the lack of accountability for large organizations responsible for these violations. He highlights several high-profile cases where physicians have faced criminal charges for HIPAA breaches, while health system executives and insurers have not been similarly prosecuted despite significant data breaches. Muhamad explores the consequences of this enforcement disparity on patient privacy and the effectiveness of HIPAA regulations. Additionally, he advocates for equal accountability across all entities handling protected health information to enhance data security and protect patient rights. Listeners will gain a deeper understanding of the flaws in current HIPAA enforcement and discover actionable strategies for strengthening data protection within the health care system.
Our presenting sponsor is DAX Copilot by Microsoft.
DAX Copilot, by Microsoft, is your AI assistant for automated clinical documentation and workflows. DAX Copilot allows physicians to do more with less and turn their words into a powerful productivity tool. DAX Copilot automates clinical documentation—making it available in the EHR within minutes—and clinical workflows, including referral letters, after-visit summaries, style and formatting customizations, and more.
70 percent of physicians who use DAX Copilot say it improves their work-life balance while reducing feelings of burnout and fatigue. Patients love it too! 93 percent of patients say their physician is more personable and conversational, and 75 percent of physicians say it improves patient experiences.
Discover AI-powered solutions for clinical documentation and workflows. Click here to see a 12-minute DAX Copilot demo.
VISIT SPONSOR → https://aka.ms/kevinmd
SUBSCRIBE TO THE PODCAST → https://www.kevinmd.com/podcast
RECOMMENDED BY KEVINMD → https://www.kevinmd.com/recommended
GET CME FOR THIS EPISODE → https://www.kevinmd.com/cme
I’m partnering with Learner+ to offer clinicians access to an AI-powered reflective portfolio that rewards CME/CE credits from meaningful reflections. Find out more: https://www.kevinmd.com/learnerplus
Transcript
Kevin Pho: Hi, and welcome to the show. Subscribe at KevinMD.com/podcast. Today, we welcome back Muhamad Aly Rifai. He’s a psychiatrist and internal medicine physician. Today’s KevinMD article is “The criminal enforcement of HIPAA.” Muhammad, welcome back to the show.
Muhamad Aly Rifai: Thank you for having me talk to your audience about HIPAA, the Health Information Portability and Accountability Act.
Kevin Pho: All right. What’s this article about?
Muhamad Aly Rifai: So in the article, I talk a little bit about the history of HIPAA. HIPAA, the Health Information Portability and Accountability Act, was passed in 1996 by Congress. Since its passing—which was mainly to facilitate the transfer of electronic medical records while maintaining patient privacy—it has morphed into a burden on practices, especially private practices.
Over the past few years, we have seen that it has become a meaningless and toothless piece of law that has not helped people keep their information private. With the HIPAA law, there’s a companion code of federal regulation, a law 42 U.S.C. section 1320-d-6. Now, this part also imposes criminal penalties on individuals who violate the HIPAA law—up to ten years in prison.
Over the past few years, the cost of maintaining HIPAA and the electronic medical record has skyrocketed, but we have also seen a new phenomenon: a continuous and unlimited number of breaches where individuals—hackers, cybercriminals—utilize ransomware technology, basically gathering a large amount of protected health information (PHI), private health information, and selling it on the black market. Not one day passes where we don’t hear about some hospital, health insurer, or some medical company that got hacked, with information about many Americans out there. That’s been problematic.
Kevin Pho: All right, so before we get into some of the problematic issues with HIPAA, just give us the overall intent in terms of why HIPAA exists in the first place.
Muhamad Aly Rifai: So, HIPAA existed basically to facilitate the transfer of electronic medical records, and it pertains specifically to electronic medical records between providers. The insurance products and the fact that people change jobs from one insurer to another led Congress in 1996 to ensure that when people change jobs, they are able to transfer their medical information with them. With the advent of electronic medical records, they wanted information to transfer very easily.
We have seen some of that happen. For example, the largest electronic medical record system in the country, Epic, allows information to flow very easily between different hospitals and organizations, and people, to a certain degree, are able to move their electronic medical records from one provider to another. But the implementation of that has been burdensome. There’s been a significant expense associated with private physicians. Hospitals have been able to defray that cost, but it has been a significant burden and has not been helpful to physicians or patients.
Kevin Pho: So tell us the impact of holding people who violate HIPAA criminally responsible. What’s the impact of that on the medical profession?
Muhamad Aly Rifai: We’ve seen that HIPAA implementation has always been very minimal in enforcement. Any inadvertent mistakes, for example, sending the medical record of a patient to the wrong physician—that’s an inadvertent disclosure—or a patient’s family member calling when the patient doesn’t want them involved in their care. Sometimes the patient had previously given permission, then revoked it, so an inadvertent disclosure might happen. Those are all dealt with civilly.
But we have seen some situations where some of these laws were deployed toward physicians who made inadvertent errors. For example, a physician—an obstetric-gynecologist in Massachusetts—was prosecuted because she failed to obtain a business associate agreement when she had a pharmaceutical representative assist her office in prior authorizations, which is a normal practice sometimes, since prior authorizations for medications, treatments, or devices can be pretty complicated. However, she failed to obtain a business associate agreement with that pharmaceutical representative, and she was prosecuted criminally. The judge was kind to her and spared her jail time, but the government was asking for five years in jail. She basically was spared jail and is back in practice, thankfully. However, people could be prosecuted criminally very easily.
Kevin Pho: Now, what kind of changes do you think are needed in terms of HIPAA enforcement to ensure that patient information remains protected, yet not over-prosecuting those who potentially violate it?
Muhamad Aly Rifai: I talked about the fact that the largest holders of electronic medical record information for patients in the U.S. are health insurers and hospitals. Not one day passes where we hear about a hospital that was hacked or had ransomware. I can tell you about a difficult experience in my area: a local hospital acquired a hematology-oncology group, and during that acquisition process, some glitches happened in the security of the electronic medical records. The electronic medical records of that hematology-oncology group were hacked, a ransomware attack occurred, and the hospital refused to pay. The hackers ended up releasing some of the information, and it was quite unfortunate. Some of the information included pictures of patients, cancer staging pictures of patients who were unclothed, which was quite harsh to those patients. However, the hospital did the right thing. The patients filed a class-action lawsuit against the hospital, and the hospital owned up to their mistake, settling the class-action lawsuit.
Most recently, my practice has been part of that. Change Healthcare, which is a large biller processor in the United States that became part of UnitedHealthcare, was hacked. It was the largest hack in the health care history. The data of 191 million Americans is out there, including my own data. I know I was a patient in a practice that had Change Healthcare, and I know now all of my data is on the dark web for someone to buy. If someone’s watching this, there’s probably a 70 or 80 percent chance that their data is out there too. We haven’t seen any ramifications for what happened. It’s been about a year. There has been no action—mostly like, “Nothing to see here, folks. Just move on.” One hundred ninety-one million Americans’ data—their names, Social Security numbers, addresses, medical history, private information including electronic medical records that were sent to insurers to justify care—are all out there somewhere for hackers to exploit, and we haven’t seen any response. The entity that enforces HIPAA is the Office for Civil Rights in the Department of Health and Human Services, and we haven’t seen any action. Usually, if they are going to treat this as a civil or a criminal case, they coordinate with the Department of Justice, and we haven’t seen anything with the Change Healthcare hack.
Kevin Pho: So you clearly articulate a disparity when it comes to HIPAA enforcement. They tend to target individual physicians versus large organizations like hospitals or insurers. As you said with the Change Healthcare leak, there wasn’t any punitive action, as far as you know. Why do you think that is?
Muhamad Aly Rifai: I think it’s very hard to go after large hospitals and large organizations. They have extensive legal teams who will drag legal proceedings out and fight government lawyers who seek penalties. They will appeal, they’ll take it to the Supreme Court, it will come down, they’ll appeal again—basically, the cases will be defended. It’s only us physicians on the front line who, when inadvertent errors occur, find ourselves in trouble.
Now, there’s also an unfortunate event that happened over the last couple of years where criminal HIPAA violations sometimes are politicized, and the criminal justice system is weaponized for political reasons. A surgical resident in Texas, Dr. Itan Haim, was actually indicted and on his way to prosecution for criminal HIPAA violations after he acted as a whistleblower at a local hospital he worked with in Texas. His whistleblowing activity involved claiming that the hospital was continuing to provide gender-affirming care to children while it had publicly said it had stopped providing gender-affirming care. Texas, following that issue, banned gender-affirming care completely by legislation. The Department of Justice continued to prosecute this surgical resident—an excellent physician—and it wasn’t until the new administration with the new president decided to dismiss the indictments with prejudice, just a few days ago, that he was set free. He was facing a criminal trial for HIPAA violations, facing 10 to 15 years in jail, even though there was no release of any personal identifying information or any issue with patient privacy being violated. He was simply whistleblowing about what he perceived as inappropriate things the hospital was doing. So the criminal prosecutions are for us, and hospitals and health insurance companies don’t even get a slap on the wrist.
Kevin Pho: What are some things physicians can do, obviously, to avoid criminal prosecutions as it relates to HIPAA?
Muhamad Aly Rifai: Education. Physicians need to educate themselves. There are free online courses on HIPAA from many professional organizations, such as the American Psychiatric Association and the American Medical Association. They need to educate their staff, and they need to have a robust safety system in terms of maintaining patient privacy.
However, there’s a movement now with independent physicians seeing patients who don’t want their health information housed in large hospital medical record systems like Epic. Patients are gravitating toward private physicians who may have private electronic medical record systems or even paper records. Some physicians still maintain paper records despite penalties, and there are some patients who ask physicians to go back to paper records: “Please don’t maintain my data on an electronic medical record. I want my medical records to be on paper. If somebody asks for my records, you should ask me before you release my records to anybody.” That’s a dangerous precedent, because HIPAA was supposed to facilitate electronic medical records, and now we have patients going back to paper medical records.
Kevin Pho: We are talking to Muhamad Aly Rifai. His KevinMD article today is “The criminal enforcement of HIPAA.” Muhammad, as always, let’s end with some take-home messages that you want to leave with the KevinMD audience.
Muhamad Aly Rifai: HIPAA is a law that protects the privacy of our patients and their medical records. We need to be well educated about it. It is a well-intentioned law, but unfortunately, its administration and the fact that it has become something that’s not helpful to our patients has led to significant breaches in electronic medical records. We need a recalibration of the law, and hopefully the new administration will try to streamline and simplify regulations that have not been helpful to our patients.
Kevin Pho: Muhamad, as always, thank you so much for sharing your perspective and insight, and thanks again for coming back on the show.
Muhamad Aly Rifai: Thank you very much for having me.
