Governance & Risk Management , HIPAA/HITECH , Insider Threat
Respiratory Therapist Convicted in HIPAA Criminal CaseProsecutors Alleged Patient Information Used to Seek Drugs
In a rare criminal case involving a HIPAA violation, a federal jury in Ohio has convicted a former respiratory therapist of wrongly obtaining individually identifiable health information. Prosecutors claimed the therapist was using the information for seeking, obtaining or using intravenous drugs.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Jamie Knapp, 26, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, was convicted on June 23 of the misdemeanor. She faces up to one year of prison. Sentencing is tentatively slated to occur no sooner than in October.
In indictment documents, prosecutors said that from May 10, 2013, to about March 25, 2014, Knapp wrongfully obtained computerized protected health information of approximately 596 ProMedica patients (see Former Therapist Charged in HIPAA Case).
Prosecutors said that in her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information of certain respiratory patients, but she accessed the HIPAA-protected information of others without authorization.
"Criminal HIPAA convictions are pretty rare, but they do happen in the right situations," says privacy attorney Kirk Nahra of the law firm Wiley Rein, who was not involved in the Knapp case. Criminal HIPAA cases "have tended to involve insiders who have done something seriously wrong - using PHI to commit fraud or identity theft, fraudulent submission of tax returns, selling information about celebrities, etc."
HIPAA criminal convictions are infrequent, in part, because the government must prove that the person knowingly obtained or disclosed individually identifiable health information and did so without authorization, says healthcare attorney Betsy Hodge of the law firm Akerman LLP, who was not involved in the Knapp case.
"Depending on what a covered entity's HIPAA policies and procedures say about who may access individuals' protected health information, the government may not be able to meet that burden in a particular case," she says. "Also, some recent breaches appear to involve individuals outside the United States, making it difficult for authorities to prosecute the responsible parties."
Motivation for Accessing Records
During testimony in the two-day trial, the judge instructed the jury to consider the drug-related evidence only for evaluating prosecutors' claims for Knapp's motives in wrongfully obtaining the patient information, noting that Knapp was not on trial for drug charges.
"This is a variation on the theme, but the similarity is that these are clear problems, not mistakes or misjudgments about the HIPAA rules," Nahra says. "So the good news is that people aren't being prosecuted for making good faith HIPAA judgments, even if they aren't right. The government only prosecutes when there are significant bad things happening."
Prosecutors have pursued only a few dozen criminal HIPAA cases, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who was not involved in the Knapp case. "Very few that I have seen have gone to a jury like this one. More often there is a plea deal."
An attorney representing Knapp declined to comment. Prosecutors did not immediately respond to Information Security Media Group's request for comment.
In a statement, ProMedica tells ISMG, "ProMedica deeply values patient privacy, and will take appropriate disciplinary action against individuals who violate patient privacy guidelines."
In the first HIPAA criminal case, a former UCLA Healthcare System surgeon Huping Zhou in 2010 was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others (see HIPAA Violation Leads To Prison Term).
Among other criminal HIPAA prosecutions was a case involving Joshua Hippler, an employee of an unidentified hospital in East Texas. In February 2015, Hippler was sentenced to serve 18 months in prison after pleading guilty to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case). Federal prosecutors in that case said that Hippler used his position as a hospital employee to obtain PHI with the intent to use it for personal gain.
In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.
In one of the harshest sentences handed out so far in a HIPAA-related case, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced in April 2013 to serve 12 years in prison in a case that also involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
Many other defendants sentenced for criminal HIPAA violations, however, have gotten lighter sentences and avoided prison time.
For example, in November 2014, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account (see Sentencing In S.C. Medicaid Breach Case).
The Knapp case serves as a reminder that while access to protected health information by outsiders - including ransomware attacks - has received a great deal of attention recently, covered entities and business associates still face insider threats from their employees, Hodge notes.
Healthcare organizations can take several steps to help prevent incidents involving wrongful access to PHI that can potentially lead to crime. Nevertheless, it can prove challenging to prevent employees who have authorized access to some patient data from accessing records of other patients.
"It is impossible for healthcare organizations to eliminate the potential for their workforce to abuse their access privileges and review records inappropriately," Greene notes. "Generally, the best organizations can do is to set clear policies on accessing records, reinforce this through regular training, routinely review records to identify potential abuse, and impose significant consequences when - not if - the occasional workforce member abuses his or her access."
Covered entities and business entities should periodically revisit their policies regarding employee access to protected health information to determine which employees need access to what protected health information, Hodge says. "Every employee does not need access to all protected health information of every patient. If a covered entity cannot use technology to prevent employees from accessing records of patients for whom they are not providing care, the covered entity should have policies stating that employees may not access the information of those individuals."
Preventing insider breaches, including those involving individuals using patient information to commit crimes such as identity theft, requires a multifaceted approach, Nahra says.
"The solution involves training, education, monitoring, controlling access and making sure people know they are being watched and that they will get caught and perhaps fired or prosecuted if they are doing something seriously wrong, while at the same time reassuring employees that these actions don't occur if people are trying to do the right thing," Nahra says.