3rd HIPAA criminal case hints at federal tactics

Legal experts say that as long as HIPAA-covered entities play by the rules, they might be spared from prosecution for an employee's alleged illegal actions.

By Amy Lynn Sorrel, AMNews staff. Oct. 16, 2006.

When HIPAA privacy rules went into effect in 2003, doctors, hospitals and other "covered entities" wondered if the government would go after them for violations made by their employees. A Justice Dept. memo issued June 2005 seemed to make it clear that would be the case.

But as the department began prosecuting the third criminal case involving privacy breaches, its tactics indicate the government isn't sticking completely with that stance, some legal experts say.

In September, the Justice Dept. indicted a former Cleveland Clinic employee for conspiracy to commit health care fraud. Isis Machado worked as a front desk office coordinator at the Cleveland Clinic in Weston, Fla., where the government alleges she "exceeded her authorized access" to the hospital's computers to download the protected health information of more than 1,100 patients. The information included patients' names, birth dates, Social Security numbers, Medicare identification numbers and addresses.

Machado allegedly stole the private information and sold it to her cousin, Fernando Ferrer Jr., her alleged co-conspirator, according to the U.S. Attorney's Office for the Southern District of Florida in Miami. Ferrer owns a medical claims company, Advanced Medical Claims Inc., in Naples, Fla., and allegedly submitted about $2.8 million in false claims to Medicare, according to the indictment.

Legal experts say it is significant, especially in light of the Justice Dept. memo, that the Cleveland Clinic has not been charged in connection with the privacy breach.