HIPAA Crimes: The Case of a Texas Whistleblower

HIPAA Criminal Prosecutions

Can you be prosecuted for a HIPAA violation? The answer is, yes but rarely. When the HIPAA privacy rule first came about during the turn of the millennium, prosecutions were sparse. But just as other areas of law, hidden statutes and creative charging methods provide ample support for prosecutors whielding political power.

In a recent prosecution the Garland DOJ draws the line between prosecutable conduct and malfeasance in a new place by dusting off the HIPAA criminal enforcement statute to prosecute a new kind of target - a whistleblower.

Whistleblowing, a National Treasure

Whistleblowing is as much of a national treasure as Nick Cage. The practie keeps our government honest and ensures a balance of power.

In 1971 Daniel Ellsberg leaked the Pentagon Papers to The New York Times. In 1972 “Deepthroat” leaked details about watergate to Bob Woodward and Carl Bernstein. Jeffrey Wigand revealed tobacco lies to Congress about the impact of tobacco. In 2004 Abu Ghraib Army Specialist Joe Darby revealed photographs of torture at the U.S. Military prison in Iraq. In 2004 the NYT also obtained a leaked memo from the red cross detailing abuses at Guantanamo Bay in Cuba.

Take a second and imagine a nation free of whistleblowers. Nixon stays in office. Lessons from Viet Nam aren’t learned. Tobacco is without a warning. Landmark Supreme Court cases related to detainee treatment are never raised.

But what happens when the leak doesn’t support a popular narrative and stands against the Department of Justice’s political aims?

Enter Physician David Haim.

Texas Childrens Hospital resident David Haim was indicted in June of 2024 with several violations of HIPAA for accessing medical records and providing redacted records to a reporter. Yes you read that correctly - redacted records.

Some have suggested that the prosecution of David Eithan Haim is the next victim of the Biden administration’s lawfare prosecutions and the weaponization of the DOJ to pursue political aims.

Haim worked at Texas Children’s Hospital, one of the largest pediatric hospitals in the country. The hospital made no secret of its support for transgender medicine. Its doctors adminstered puberty blockers, cross-sex hormones, and other medical interventions to children who self-identified as “trans”. But when public pressure came about, CEO Mark Wallace announced that he was shutting down the clinic but doctors Richard Ogden Roberts, David Paul, and Kristy Rialon never stopped. (Credit /City Journal).

Haim contactd Christopher F. Rufo a senior fellow at the Mahnattan Institute and contributing editor of the City Journal and provided records showing that the practices were continuing. The ensuing story rocked the hospital and the Texas legislator passed a bill outlawing juvenile transgender medical procedures.

The HIPAA statute, Title 42 Section 1320-9(b)(3), applies to this hospital and its staff. HIPAA, the Health Insurance Portability and Accountability Act, was enacted to protect patient health information from exposure by unauthorized entities, ensuring the privacy and security of health information and mandating strict guidelines for handling patient data.

In June 2023 Federal Agents knocked on Haim’s door after a thorough investigation of the “leak”. AUSA Tina Ansari was assigned to the case and began threatening Haim with prosecution. An indictment was unsealed a year later.

According to the indictment, Haim was granted login credentials to access medical patient files. He was authorized to review records only for patients under his care. He rotated at the hospital until January 2021 and then left. However, he attempted to re-activate his login credentials, apparently stating that it was to review charts of patients under his care. He emailed the hospital staff multiple times for access and was eventually granted access despite him not actively treating patients at that time.

The indictment alleges that he caused “malicious harm” to pediatric patients and physicians by providing information to a media contact. The indictment admits that he redacted the name of the patient, but the media contact apparently published some of the information on X and other media outlets. As a result, the hospital claims it suffered “financial loss, medical delays, and threats of harm to patients and esteemed physicians.” Haim was indicted under Title 42 United States Code, Chapter 7, Subchapter XL, Part C (HIPAA) for obtaining health information under false pretenses.

Criminal Penalties for HIPAA Violations

HIPAA violations can lead to both civil and criminal penalties. Criminal enforcement under HIPAA is detailed in Title 42, United States Code, Section 1320d-6, which outlines three tiers of criminal penalties based on the nature of the violation:

1. Simple Negligence: A fine of up to $50,000 and imprisonment for up to one year for knowingly obtaining or disclosing identifiable health information.

2. False Pretenses: A fine of up to $100,000 and imprisonment for up to five years for obtaining or disclosing identifiable health information under false pretenses.

3. Intent to Sell, Transfer, or Use for Commercial Advantage, Personal Gain, or Malicious Harm: A fine of up to $250,000 and imprisonment for up to ten years for obtaining or disclosing identifiable health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.

Statistics of HIPAA Enforcement

Since the HIPAA Privacy Rule was enacted, the DOJ’s Office of Civil Rights has investigated over 30,839 cases, resulting in significant penalties and corrective actions. Civil monetary penalties have been assessed in 145 cases, resulting in $142 million in recoveries. The Office of Civil Rights has referred 2,197 cases to the DOJ. Most major healthcare entities have had a HIPAA action against them. Anthem settled a violation for $115 million, Memorial Healthcare settled for $5.5 million, and New York Presbyterian and Columbia University Medical Center settled for $4.8 million.

HIPAA Criminal Cases

Criminal cases are sparse. In 2014, a Texas hospital employee pleaded guilty to accessing HIPAA-protected information and using it for personal gain, resulting in an 18-month sentence. In 2015, a former district manager of Warner Chilcott, a pharmaceutical company, pleaded guilty to disclosing health information and was sentenced to one year of probation.

So, can HIPAA violations lead to criminal charges? The answer is yes, but it is rare and requires clear evidence of intent and harm. In Haim’s case, the indictment claims that his actions were intentional and malicious, aimed at causing harm by disclosing patient information to the media. As we watch this case, remember the word “redacted” its vitally important when the Government seeks to put a person in jail for an improper disclosure.

If you’ve enjoyed this article, consider reading Unraveling Federal Criminal Investigations, a spellbinding journey through our nation’s biggest cases.