A physician in Virginia has been criminally indicted and charged with three counts of violating HIPAA in connection with release of protected health information ("PHI") to a patient's employer. This criminal charge is unique in that it does not allege that the physician released the PHI for personal gain. Instead, the charges are based on the fact that improper release was made "under the false pretenses that the disclosure of said information was necessary . . . . " Specifically, the physician knew that the patient was not a serious and imminent threat to the safety of the public, but used that as a basis upon which to release the PHI to the patient's employer.
This indictment demonstrates that the government will pursue criminal charges if it disagrees with a health care provider's rationale for releasing PHI. Health care providers should continue to carefully adhere to their HIPAA privacy policies when releasing any PHI, and consult with legal counsel in the event that they are unsure whether a release of PHI is permitted under HIPAA.