Legal Memorandum: Medical Device Seller and HIPAA Violations

Issue: What is a seller of medical devices’ exposure for HIPAA violations in the event the unencrypted patient information stored on a computer is disclosed in violation of HIPAA?

Area of Law: Healthcare & Pharmaceutical Law Compliance
Keywords: HIPAA violations; Seller of medical devices
Jurisdiction: Federal, Minnesota
Cited Cases: None
Cited Statutes: 42 U.S.C. §§300jj et seq.; §§17901 et seq; § 164.502(a); 75 Fed. Reg. No. 134, pp. 40868, 40887; 42 U.S.C. § 1320d-6; 42 U.S.C. § 1320d-5; 42 U.S.C. § 1320d-5(b); 42 U.S.C. § 1320d-5(d)
Date: 11/01/2010

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.  42 U.S.C. §§300jj et seq.; §§17901 et seq.  To implement the HITECH changes, the  Department of Health and Human Services issued a proposed rule, expected to be final soon, that will “revise § 164.502(a) to provide that a business associate, like a covered entity, may not use or disclose protected health information except as permitted or required by the Privacy Rule or the Enforcement Rule.” 75 Fed. Reg. No. 134, pp. 40868, 40887 (July 14, 2010), http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf. 

A covered entity or business associate disclosing protected health information in violation of HIPAA/HITECH and related rules may be subject to criminal or civil penalties.  Imposition of a criminal penalty requires a “knowing” disclosure.  See 42 U.S.C. § 1320d-6.  This statute provides that a person who knowingly discloses individually identifiable health information “shall” be fined not more than $50,000 and/or imprisoned for up to one year.  However, if the disclosure is committed under false pretenses, the penalties are increased to $100,000 maximum and/or five years’ imprisonment.  And if committed for commercial advantage or personal gain, the penalties are increased to a $250,000 fine and/or ten years’ imprisonment.  Id

Civil penalties, on the other hand, are imposed when the disclosure was made with less culpability.  See 42 U.S.C. § […]

Subscribe to Litigation Pathfinder

To get the full-text of this Legal Memorandum ... and more!

(Month-to-month and annual subscriptions available)