Compliance officer personal liability for the compliance of the company. Is that a thing? The recent settlement with a compliance officer says maybe so.Compliance Officer Personal Liability

The May 2017 settlement agreement between the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and the U.S. Attorney’s Office for the Southern District of New York has created interesting conversations within compliance circles. In this case, the Chief Compliance Officer of Moneygram was able to reach a settlement in the personal liability case against him.  That agreement included a $250,000 penalty payment and 3 years restriction on working in that industry. Yep, that is enough to make you sit up and take notice.

 

 

HIPAA For MSPs Compliance Officer Personal Liability?
00:00:00 00:00:00

Today’s topic

Compliance Officer Personal Liability – EP 114

There has always been a concern from many people we work with about compliance officer personal liability. Specifically, is a compliance officer personally liable for the compliance of the company?

The May 2017 settlement agreement between the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and the U.S. Attorney’s Office for the Southern District of New York has created interesting conversations within compliance circles. In this case, the Chief Compliance Officer of Moneygram was able to reach a settlement in the personal liability case against him.  That agreement included a $250,000 penalty payment and 3 years restriction on working in that industry. Yep, that is enough to make you sit up and take notice.

What About HIPAA

Can you be personally liable under HIPAA? There are criminal penalties in the law for but those have to do with doing something with PHI with malicious intent. What this case, and many others, use is the False Claims Act as the basis for the liability.

I got this great explanation from the legal paper: “Who Goes To Jail?” A Guide for HIPAA Privacy Officers by Edward F. Malone, Esq. of Chicago.

The False Claims Act, 31 U.S.C. §3729 (1994), punishes a defendant for knowingly or with reckless disregard for the truth, making false statements to the government in connection with a claim for money or reimbursement. The False Claims Act can apply even when the actual request for payment is neither false nor fraudulent. Liability can be imposed when a defendant, as required by the government, certifies that it is in compliance with a separate statute, law or regulation in order to obtain payment when it is in fact not in compliance with that statute, law or regulation.

The paper goes on to explain that under HIPAA you can’t be held personally liable.

Liability of Privacy Officers. Privacy Officers are not exposed to a greater risk of criminal liability than other employees solely on the basis of their position as a Privacy Officer. Unlike the corporation as an entity, the Privacy Officer cannot be held criminally liable for another employee’s criminal act. A Privacy Officer cannot be held criminally liable for a criminal violation committed on “their watch” unless they themselves also participated in the criminal act through planning, participating in, or covering up its commission

How could that apply to me?

Is compliance officer personal liability something you should worry about?  The short answer “We don’t know”.

  • MU money
  • Investigation responses
  • Breach assessments

Is there a case on the horizon that may say that there is compliance officer personal liability under HIPAA and HITECH? We never know that kind of stuff for sure until it is made public.  However, there are plenty of ways the False Claims Act could potentially be applied within all of the HIPAA requirements though.

We will certainly keep an eye out for any indication that the same logic will be applied to HIPAA cases anytime soon.  If we hear anything at all you can bet we will be covering it in an episode.