By Adam H. Greene

Dr. Richard Kaye, a former medical director of the Psychiatric Care Center at Sentara Obici Hospital (Suffolk, Virginia), was indicted on June 21, 2011, in the U.S. District Court for the Eastern District of Virginia, on three counts of violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The indictment is significant in that it is the first criminal prosecution under HIPAA premised on communications with a patient’s employer.

The indictment alleges that, on three separate occasions, Dr. Kaye informed one or more agents of a former patient’s employer that the patient was a serious and imminent threat to public safety, despite the patient’s discharge summary having indicated otherwise. Dr. Kaye was previously reprimanded by the Virginia Board of Medicine, with a fine of $5,000, for the same incident.

The criminal indictment alleges that Dr. Kaye disclosed, without authorization, the individually identifiable health information of a former patient in violation of the HIPAA Privacy Rule. The U.S. Attorney charged that the violation was done under false pretenses because Dr. Kaye indicated that the former patient was a threat to public safety when, according to the indictment, he knew otherwise. If convicted, he faces a fine of up to $100,000 and/or imprisonment of up to five years. It is worth noting, however, that the U.S. Attorney has not brought a charge that Dr. Kaye’s actions were for personal gain or malicious harm (charges which would bring increased fines and imprisonment).

This is at least the fifteenth criminal prosecution under HIPAA, and the first one premised on communications with a patient’s employer. Other prosecutions have generally involved individuals impermissibly obtaining or disclosing patient information for purposes of identity theft or other financial fraud, for obtaining controlled substances, or for snooping on celebrities or other persons of interest. Accordingly, this is a seemingly unique HIPAA prosecution in that the indictment does not allege that Dr. Kaye’s actions were for personal gain or represented an egregious case of snooping. The motive behind Dr. Kaye’s communications with agent(s) of the former patient’s employer is unclear.

This charge comes less than a month after Chelsea Catherine Stewart was criminally charged in Alabama for violating HIPAA. The indictment of Ms. Stewart relates to attempted identity theft, but is also unique since Ms. Stewart is the first non-employee of a HIPAA covered entity who has been criminally charged under HIPAA.