December 9, 2022 | By Rachel Rose, JD, MBA
Although it is said that “business is global”, there are some nuances to this blanket statement to consider when creating, receiving, maintaining, or transmitting electronic protected health information or electronic health information (herein the blanket term “PHI” is used) internationally.[i] Before delving into items to consider when business associates (including subcontractors) and PHI are international, it’s important to appreciate that both the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) and the U.S. Department of Justice (“DOJ”) have the ability to enforce violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”),[ii] as well as the related Privacy Rule, Security Rule, and Breach Notification Rule.[iii]
Fundamentally, HHS-OCR receives a complaint and investigates it. As HHS illustrates on its website:[iv]
The DOJ may get involved in one of two ways: (1) if a government agency (HHS-OCR or otherwise) brings forth possible criminal violations of HIPAA; or (2) a False Claims Act case emerges where remuneration is involved for access to patient records and often times subsequent financial gain. For example, on November 10, 2022, the DOJ announced that five (5) individuals had been indicted by a grand jury for co-conspiring to take the names and phone numbers of Methodist Hospital (Memphis, TN) patients, who were involved in motor vehicle accidents and sell the information to third parties. Additionally, Defendant Harvey was “also charged with seven counts of obtaining patient information with the intent to sell it for financial gain on various dates between November 12, 2017, and September 7, 2019.” The criminal penalties are significant – there is a per-charge maximum of ten years in prison, plus fines and a period of supervised release.
How does potential HIPAA liability translate internationally? There are a number of ways.
In May 2022, the United States linked two ransomwares – Jigsaw and Thanos – to “Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, [who] created and rented Jigsaw and Thanos ransomware to cybercriminals.” In essence, a physician created the ransomware, despite taking an oath to do no harm to patients.
In September 2022, the FBI arrested and charged two physicians – one in private practice and her husband, an Army doctor – with “plotting to give the Russian government medical records of members of the American military, believing that the information could be exploited by the Kremlin, federal prosecutors said.” This pattern – illicitly viewing and taking PHI for remuneration, is consistent with other criminal HIPAA indictments.
Some other potential areas of liability, which should be evaluated as part of an annual HIPAA risk analysis include the following:
- Adequate training;
- Adequate technical safeguards, such as monitoring and audit logs;
- Assessing whether international business associates are taking pictures with cameras of PHI on the screen and selling the information – this is unlikely to be detected by software; however, this is where a robust bring your own device policy comes into play to mitigate the risk;
- Comprehensive policies and procedures; and
- Substantive business associate agreements.
As established above, the United States Government has jurisdictional reach outside the United States. With state actors and cyber-attacks being initiated from abroad, it is likely that ransomware operations conducted by joint efforts by multiple countries will ensue. In November 2021, Interpol announced a transcontinental operation, which included 19 law enforcement agencies in 17 countries, led to the arrests of multiple suspects, who allegedly perpetrated tens of thousands of ransomware attacks, including those involving PHI.
In sum, HIPAA-covered entities and business associates need to know with whom they are doing business. Internally, it means doing an annual, comprehensive risk analysis to identify and correct gaps in technical, administrative, and physical safeguards. Externally, it means doing adequate due diligence, reading contracts, including those of cloud providers so you know where your data is located, and having adequate insurance and other safeguards in place.
 DOJ, Warner Chilcott Sentenced to Pay $125 Million for Health Care Fraud Scheme (Apr. 15, 2016), https://www.justice.gov/usao-ma/pr/warner-chilcott-sentenced-pay-125-million-health-care-fraud-scheme (highlighting that in addition to civil and criminal violations of the False Claims Act and the Anti-Kickback Statute, “[f]ormer district manager Timothy Garcia pleaded guilty to wrongful disclosure of individual identifiable health information, a criminal violation of the HIPAA law.”).
 DOJ, Five Former Methodist Hospital Employees Charged with HIPAA Violations (Nov. 10, 2022), https://www.justice.gov/usao-wdtn/pr/five-former-methodist-hospital-employees-charged-hipaa-violations.
 US Links Thanos and Jigsaw Ransomware To 55-Year-Old Doctor (May 17, 2022), https://www.privacy.com.sg/cybersecurity/us-links-thanos-and-jigsaw-ransomware-to-55-year-old-doctor/.
 M. Levenson, Army Doctor and Spouse Plotted to Give Russia Medical Records, U.S. Says (Sept. 29, 2022), https://www.nytimes.com/2022/09/29/us/army-doctor-russia-plot.html.
 HHS-OIG, Former Hospital Employee Indicted for Criminal HIPAA Violations (Jul. 3, 2014), https://oig.hhs.gov/fraud/enforcement/former-hospital-employee-indicted-for-criminal-hipaa-violations/.
[i] R. V. Rose, PHI, ePHI, and EHI – Oh my! (Oct. 27, 2022), https://www.physicianspractice.com/view/phi-ephi-and-ehi-oh-my-.
[ii] Pub. L. 104-191 (Aug. 21, 1996).
[iii] 1st Healthcare Compliance, Happy 25th Birthday HIPAA! Q&A with Rachel V. Rose, https://1sthcc.com/happy-25th-birthday-hipaa-qa-with-rachel-v-rose/ (last visited Nov. 25, 2022).
[iv] HHS, Enforcement Process, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html (last visited Nov. 26, 2022).