On September 8, 2011, the United States Attorney’s Office announced that John Edward Cipolla, of Niagara Falls, Ontario, was charged with making a false statement to government agents and with violating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Mr. Cipolla allegedly abandoned medical records in a dumpster behind the Erie County Auto Bureau office in Cheektowaga, New York, on June 2, 2010. The records belonged to Avalon Centers Inc., a former eating disorder clinic located in Clarence, NY. The defendant had obtained the records in the hopes of re-opening the clinic. As alleged in the complaint, Cipolla told government agents that he did not look through the records that he had taken from Avalon’s office and that there were no patient files in those records.

The charge would appear to involve two of the three grounds that subject one to the most severe criminal penalty—up to ten years’ confinement and a $250,000 fine—the knowing and improper use or disclosure of individually identifiable health information for commercial advantage (re-opening a clinic presumably by using the records to contact former patients) and personal gain (the profits from said clinic).

Note also that the defendant does not appear to have any connection to an existing covered entity, demonstrating the broad reach of the HITECH Act’s expansion of criminal liability to include employees and other individuals who commit HIPAA crimes. This indictment, along with the one discussed in my August 9, 2011, blog entry of a person who had impersonated a doctor, demonstrates that just about anyone who improperly obtains or discloses PHI in violation of HIPAA may be criminally liable.