Share this article on:
Yesterday, two separate data breaches were reported to the HHS’ Office for Civil Rights which were allegedly caused as a result of members of staff taking confidential patient data to other healthcare providers. Baptist Health discovered a provider had exported data which was subsequently used to contact patients and offer them healthcare services at a separate, unaffiliated clinic. An alleged theft of PHI has also been reported, in this case, by the former CEO of Angels in Your Home; a Rochester, NY based full service homecare agency.
Alleged Unauthorized Disclosure of PHI at Angels in your Home
The unauthorized disclosure affects two licensed home care agencies affiliated with Angels in your Home. The former CEO of Angels in your Home, Marco Altieri, is alleged to have taken patient PHI with the intent of using that information to recruit patients for a new healthcare agency, All-American Home Care, although the allegations have been denied by Altieri’s attorney.
The alleged theft of data came to light during a conversation between the Center for Disability Rights (CDR) – an advocacy group for people with disabilities – and a client who had been receiving services from Angels in your Home. The individual in question told CDR that her attendants had not been paid for the services provided, and as a result the client was at risk of having to go to a nursing home. CDR contacted Bruce Darling, CEO of the Center for Disability Rights, for further information.
According to a statement issued by CDR, “CDR contacted the agency to follow-up, and a representative from Angels in Your Home told us that when the former CEO left Angels he took consumer files, including the file of our consumer, which is why her attendants had not been paid.”
It would also appear that a rumor had been circulating that Angels in your Home was going to be bought out by another company, and that 10 individuals who had been receiving assistance from Angels in your Home and CDR, had been contacted by All-American Home Care. Also, nine clients had requested to have their agency of record switched to the new company.
The rumors of the closure of Angels have been confirmed as being “completely false,” and that the services provided to disabled clients would continue, at the same high levels previously.
According Darling, “We have had some individuals contact us. We are encouraging other individuals who believe or know their information was compromised, misused or stolen [to contact CDR] so we can coordinate between the impacted disabled individuals and the legal community to make sure that they have representation.”
Darling also pointed out the seriousness of the situation. A notice on the CDR website, written by Darling, says, “When a trusted individual steals from, lies to, or manipulates the disabled people that they serve in order to make a profit, that trust is not just broken, it is ripped away.”
He also said, “Protected Health Information cannot be used for profit, and people with disabilities should not be treated like commodities.” The matter has now been reported to the HHS’ Office for Civil Rights (OCR), and the state attorney general has also been notified.
Darling also pointed out that this is not an isolated incident. “This has been a growing trend locally that must stop,” he said.
With the accusations denied by Altieri, the case is likely to now be resolved in court. Should the accusations turn out to be true, or proven so in a court of law, there could be other repercussions for Altieri and the co-defendants.
Penalties for HIPAA Violations and Improper Sharing of Protected Health Information
The sharing of Protected Health Information is permissible under HIPAA Rules, although only with prior authorization from patients and not for profit. In this case, if the allegations turn out to be true, the HIPAA Privacy Rule will have been violated. As such, the individual(s) concerned are likely to be the subject of an OCR investigation. The Center for Disability Rights is currently arranging legal help for the individuals affected by the privacy breach. A lawsuit was also filed by Angels in Your Home on Tuesday, which names Altieri, All-American Home Care and other defendants, according to the Democrat and Chronicle.
This is of course not the first time that a member of staff has been accused of taking data to a new employer and it will certainly not be the last. Any healthcare worker considering taking patient information to a new employer should be aware of the potential consequences of their actions, which will almost certainly involve legal action by the provider and patients. There are also serious penalties for HIPAA violations from the OCR, state attorneys general and other regulatory bodies, which can include lengthy prison terms and heavy fines.