Share this article on:
Criminal prosecutions for HIPAA violations hospital employees are a relatively uncommon occurrence, although another case has recently resulted in legal action with a former employee of ProMedica Bay Park Hospital charged with HIPAA violations for inappropriately accessing 596 patient records.
Jamie Knapp was indicted by a federal grand jury in Ohio for unlawfully viewing and obtaining protected identifiable healthcare data and for accessing of a protected computer without authorization. The penalty for these charges is a fine of up to $500,000 and a prison term up to 10 years if prosecutors determine that PHI was taken for personal gain.
The inappropriate accessing of PHI is alleged to have occurred between April 1, 2013 and April 1, 2014. A police investigation was conducted last summer after the breach was discovered and Knapp was determined to be the employee responsible for the breach.
The data compromised in the incident included patient names and dates of birth as well as Protected Health Information including hospital visit numbers, physician names, medications prescribed, medical diagnoses and other clinical information. No financial information or Social Security numbers were believed to have been accessed.
The indictment states “In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients,” it also states that “Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients.”
HIPAA Violations Can Lead to Prison Time
Employee snooping on healthcare data is a common problem and each year many violations are reported to the Office for Civil Rights, even though few result in criminal proceedings. Many of these cases involve the viewing of a limited number of records; such as when employees view the PHI of friends and relatives or use their access rights to snoop on celebrity medical files. However, in some cases the offences are deemed to be serious enough for criminal proceedings to be initiated.
In the most recent case, East Texas hospital worker, Joshua Hippler, was indicted on HIPAA charges last year for the inappropriate accessing of patient health records and was sentenced to 18 months in jail.
In April 2013, Helene Michel was sentenced to serve 12 years in prison for illegally obtaining PHI and using that information to make bogus Medicare claims. The charges included impersonating a doctor and fraud, hence the lengthy jail term. In the same year a former nursing assistant, Denetria Barnes, was charged with conspiracy to defraud and wrongful disclosure of HIPAA-covered data and was sentenced to serve 37 months in jail for the offenses.
How Can Healthcare Providers Prevent Insider HIPAA Breaches?
Since employees must be provided with access to medical records to perform their work duties, any member of staff with access rights can potentially view the data of patients. It is therefore almost impossible to prevent staff from accessing PHI from a technical perspective, but that does not mean that healthcare providers are powerless to prevent insider HIPAA breaches.
A number of procedures can be implemented that can reduce the probability of an insider HIPAA breach occurring. The first is education. The staff must be informed of HIPAA Rules covering the access and disclosure of PHI, including what data constitutes PHI.
The staff should be warned of the repercussions of illegally accessing records, and should be told in no uncertain terms that improper access will result not only in loss of employment but potentially up to 10 years in prison. It may not be sufficient to prevent access, but it should certainly make potential thieves think twice before accessing patient records without authorization.
There must also be a system that logs attempts made by staff to access PHI and these logs must be checked on a frequent basis. By checking access logs the staff can be monitored to ensure no employees are accessing data that they are not authorized to view. It will not prevent a breach, but it will ensure that the damage caused is kept to a minimum level.