The government has convicted HIPAA violators -- make sure you're not at risk HIPAA compliance may no longer be at the top of your to-do list, but that doesn't mean it should fall off of the list all together. As most practices know, the HIPAA privacy rule went into effect in April 2003. At that point, you couldn't walk out your office's front door without hearing a HIPAA best practice or tip. But almost five years have passed since then, and in some offices, HIPAA has been put on the back burner. Reality: The U.S. Department of Justice is watching covered entities that violate privacy rules, so you can't turn your back on HIPAA anytime soon. In 2004, a cancer clinic employee was sentenced to 16 months in federal prison after pleading guilty to violating HIPAA's privacy rules. The violator confessed to obtaining a cancer patient's PHI and using it to obtain credit cards in the patient's name, after which he rang up thousands of dollars worth of credit card charges to buy items for himself. His conviction, the first ever under the HIPAA's privacy rule, caused some analysts to scratch their heads, wondering whether the man was considered a "covered entity" under HIPAA's regs. According to the HHS Office of Civil Rights (OCR), which enforces HIPAA, a covered entity is a healthcare provider, a healthcare clearinghouse, or a health plan. Nonetheless, the DOJ was able to convict the employee described in the case above, even though he was not a covered entity. "If the DOJ can't prosecute someone specifically under HIPAA because they don't qualify as a covered entity, they can most likely nail a violator under half a dozen other laws for most of the things they're interested in trying to prosecute," says Kirk J. Nahra, Esq, with Wiley Rein, LLP in Washington, D.C. The OCR has received more than 32,487 privacy complaints and has resolved 5,509 of those cases by asking practices to change their privacy practices and requesting other corrective actions, according to the OCR Web site. The top HIPAA complaint that the OCR received was regarding impermissible PHI disclosure, followed by lack of PHI safeguards. Private practices were the number one type of covered entity required to take corrective action to comply with HIPAA, followed by hospitals, outpatient facilities, health plans and pharmacies. "So far there have been no financial penalties imposed following these investigations because the OCR would rather have people complying with the privacy regulations than collecting money," says Michael B. Glomb, Esq, with Feldesman, Tucker, Leifer, Fidell, LLC in Washington, D.C. "You only have a penalty imposed if they found a violation and you decided to ignore their recommendations to fix it," he says. On the other hand, some members of the healthcare privacy community have disagreed with the lack of penalties imposed. "So I would not be surprised if we didn't see some penalties imposed in the more egregious situations in the future," Glomb says. Keep in mind: The DOJ isn't going after people who leave their computer screen turned on with the patient schedule showing, Nahra says. "Most of HIPAA is just a question of good practices," he says. "People aren't going to jail for the minimum requirements under the privacy regulations. They're getting into trouble for things like stealing patient information." Ironically, one of the biggest complaints about the HIPAA privacy rule is from friends and family of the patients themselves, Nahra says. "Lots of complaints are that medical professionals aren't answering their questions about their relative's medical condition, such as their mother or their son," he says. To read the Office of Civil Rights' HIPAA statistics, as well case examples of covered entities that the OCR investigated, visit http://www.dhhs.gov/ocr/.