Could HIPAA Make Criminals Out of People You Know?

HIPAA and the lawNobody wants to be right at the expense of companies that are trying to improve people’s health. But this summer, lots of companies that persistently deal with Personal Health Information (PHI) have been slapped with “I-told-you-so” fines that should have been on everyone’s radar for more than a year now. Some companies facing enforcement actions aren’t even medical firms, but somehow perform work where they handle protected information.

Enforcement Rises at an Alarming Rate

Many may soon regret not listening a bit earlier to the many warnings that HIPAA privacy enforcement is seriously escalating. Now grace periods are over, and states’ attorneys general are using the authority given to them under the HITECH provisions to prosecute cases.

California, Texas, Massachusetts and Rhode Island Get Serious about HIPAA

California, Texas and Massachusetts have also reduced the warning time from the two months that violators used to get as a grace period.

For instance, Parkview Health, an Indiana company, has been slapped with an $800,000 fine for not adequately protecting patient privacy. Massachusetts is extracting more than $150,000 from a women’s clinic for a HIPAA breach. Tiny Rhode Island has made itself the leading prosecutor of such cases. Even Puerto Rico’s insurance agency is getting into enforcement in a big way, with a $6.8 million HIPAA levy.

Criminal Charges Pursue Some Violators

HIPAA handcuffsAnd in an extra-alarming new turn of events, the attorney general’s Eastern District of Texas office announced that it’s bringing criminal charges for HIPAA violations.

Yes, that’s right. Criminal charges. And while they are not yet common, it is possible to go to jail for breaking HIPAA law. And since HIPAA is a federal law, violations could be prosecuted by federal criminal courts.

How to Stay Out of Trouble—And Even Jail

The best way to stay out of trouble is to get your own house in order. Many companies don’t realize that they could be covered by HIPAA, either as a “covered entity” or as a “business associate” of someone who is.  (Loosely speaking, a business associate is someone your company does business with, often a service provider, who has access to information protected under HIPAA.) And since the rules have changed over the years, some companies that you’d think would know they’re covered business associates under HIPAA, don’t have a clue.

Commonly Overlooked Business Associates

One of the most frequently overlooked business associates is a company’s telecommunications provider. In general, storing data such as faxes, voicemail and other personal health information makes your telecommunications provider a business associate.

How will you know? One good indicator is whether or not they’re willing to put it in writing with a Business Associate Agreement. If they’re not, it could signal uncertainty involving the security and integrity of their own business processes. You definitely do not want to be caught up in someone else’s non-compliance issues.

That’s one reason why 8x8 has gone to such great lengths to become HIPAA compliant, to offer HIPAA-compliant solutions—AND to offer Business Associate Agreements. It was a long journey (about a year-and-a-half) to achieve compliance and become a HIPAA-compliant Business Associate, but our customers deserve the peace of mind that such agreements offer. Nobody should have to worry about crippling fines or jail because of someone else’s noncompliance.


Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png