Doctor to Plead Guilty to HIPAA Privacy Violation

A former physician of Fletcher Allen Health Care in Burlington, Vermont, is due to appear before a federal judge where he is expected to plead guilty to violating patient privacy by using his position and access rights to view the medical information of a patient he was not treating.

The incident occurred in 2008, and the doctor, named as Joshua A. Welch, allegedly accessed the records of a female patient in September which whom he was having a “personal relationship”. That was until the woman discovered that he had accessed her medical records.

A complaint was filed with the hospital and an investigation was launched into the matter, with the case being referred to the State Medical Board. It was discovered that she was not the only woman the doctor had checked out. The healthcare provider discovered that Welch had accessed the medical records of 8 separate women without authorization and for no work reason for doing so.

According to a statement issued by FAHC, “The board’s investigation determined, and respondent admitted, that respondent over the course of two years accessed female patients’ medical records while working at FAHC.” The doctor received a six month suspension on his license and is no longer working for the hospital.

Instead of returning to work after the investigation was completed, the doctor decided to resign and change location, and has now moved to the Rural South West and is providing medical services to a “traditionally underserved population.”

However, that may at least temporarily come to an end. The doctor has entered into a plea deal with the U.S. Attorney’s Office and has agreed to plead guilty to the charge in exchange for a “low end sentence.” A guilty verdict can see the accused sentenced to up to a year in prison and receive a $50,000 fine.

Under the Health Insurance Portability and Accountability Act’s Privacy Rule, patients are afforded certain rights and their records must not be viewed by unauthorized individuals. Just because a physician has access to EHRs, does not mean that the person is permitted to view any patient record. Records may only be accessed by physicians involved in the treatment of their own patients, and only ever for work purposes.

The penalties for unauthorized access can be severe, especially if records are viewed and information obtained for personal gain. It is essential that the penalties for snooping are explained to all staff required to access PHI as part of their work. Ignorance of the law is not a valid defense, and training on HIPAA Rules may be enough to make some individuals think twice about accessing records that they are not authorized to view.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.