Healthcare Partner Jeff Drummond Speaks on HIPAA Criminal Prosecutions and Liability for Employers

April 11, 2018 | Mentions

Criminal prosecutions for violations of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA) have been relatively rare since its enactment in 1996. Civil fines, often hefty ones, are far more common. However, when an East Texas man was sentenced in 2015 for a criminal HIPAA violation, observers said it signaled that the government was getting tough on HIPAA breaches, according to the Dallas Morning News.

The article entitled “Parkland hospital ex-employee pleads guilty to illegally leaking patient info for tax fraud scheme,” reviews several such criminal prosecutions, including the Parkland employee who sold the personal information of 100 Dallas County Jail inmates to be used in a tax refund scam and is now facing up to 10 years in prison.

Dallas healthcare partner Jeffery P. Drummond, who was interviewed for the story, observed that hospitals and other providers are expected to have systems in place to prevent the improper use or disclosure of patient information. The fines can be substantial, according to Drummond, even up to seven figures. Authorities like to make an example.

“They want a big scalp to hang on the wall,” Drummond said.

Drummond said financial fraud is not the only motive for disclosing patient information. Some have given patient information to personal injury lawyers looking for clients, or to media organizations when patients are celebrities.

According to Drummond, “That’s why hospitals need to have tight controls over who gets to access patient information. A good security system will alert hospital officials whenever an unauthorized person accesses a high-profile patient’s file. If they don’t have reasonable safeguards, the employer can be held responsible.”

Meet Jeff

Jeffery P. Drummond represents healthcare providers in transactional and regulatory matters. He is best known for his experience in HIPAA and medical record privacy, as well as other data privacy and security issues. Jeff has been involved in HIPAA compliance since it was enacted and has drafted thousands of HIPAA forms, documents, agreements, and policies for hundreds of entities and institutions, including the documents provided by the Texas Medical Association to its physician members. Jeff is a frequent speaker on HIPAA and cybersecurity issues, speaking to large and small healthcare entities, lawyers, and other vendors to the healthcare industry. Since 2002, Jeff has written a weblog on HIPAA matters at, and he regularly tweets about HIPAA @JeffDrummond.