Worst-case scenario

Prison? ... An IT guy? ... For violating HIPAA or Sarbanes-Oxley ? ...

Could it really happen?

It's known as the "go-to-jail scenario" in IT circles, a confluence of events that might land a CIO or network executive not just in hot water, but behind bars. You've probably heard loose talk about this risk at industry conferences and in the press. But can an IT exec actually end up doing hard time - as opposed to being fired or fined - for violating one of these federal laws?

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Prison? ... An IT guy? ... For violating HIPAA or Sarbanes-Oxley ? ...

Could it really happen?

It's known as the "go-to-jail scenario" in IT circles, a confluence of events that might land a CIO or network executive not just in hot water, but behind bars. You've probably heard loose talk about this risk at industry conferences and in the press. But can an IT exec actually end up doing hard time - as opposed to being fired or fined - for violating one of these federal laws?

The jury is still out. Everyone we talked to pretty much agrees that the go-to-jail scenario is a long shot that would require overt bad deeds far beyond simply screwing up. But no one was willing to entirely rule out the possibility of a stretch in the slammer, either.

Clearly, the legislation and regulations governing the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act and the like include criminal penalties: up to 10 years in prison with HIPAA for "obtaining or disclosing protected health information;" 10 to 20 years with SOX for "destruction, alteration or falsification of records," just to cite two examples.

And a former cancer clinic worker in Seattle became the first person convicted of criminal charges under HIPAA last November. The sentence: 16 months for using patient information to fraudulently obtain credit cards. Experts say this case isn't all that instructive in terms of how these laws will be applied toward IT executives because this type of outright fraud has always carried the threat of prison.

But the reality is that more IT professionals are finding themselves in the enforcement cross hairs. "There's no question that more and more people from the IT world are becoming responsible for electronic records management," says Bob Williams, president of Cohasset Associates, a Chicago consulting firm that specializes in document management. Primary responsibility for electronic records management rests with IT in more than 70% of organizations, according to a Cohasset Associates survey of 2,200 records-management professionals. And with that primary responsibility comes vulnerability to enforcement penalties.

"Maybe we should say it backwards: Can you definitively say an IT person would not go to jail?" says Jonathan Redgrave, an attorney with the Washington office of Jones Day, who specializes in electronic records issues. "You can't say that they wouldn't; it really depends on the facts of the situation."