Share this article on:
A former respiratory therapist has been convicted on criminal HIPAA violations by a federal jury in Ohio. The jury agreed with prosecutors that the protected health information of patients was wrongly obtained and that PHI was used to seek and obtain intravenous prescription drugs.
Jamie Knapp was employed as a respiratory therapist at the ProMedica Bay Park Hospital in Oregon, Ohio. Over a period of 10 months Knapp improperly accessed the medical records of 596 patients. Knapp was permitted access to patient records in order to conduct her work duties; however, she was only permitted access to the records of patients she was treating. Knapp abused her access rights and viewed the PHI of other patients without authorization, according to the prosecution.
Sentencing has been tentatively scheduled for October and Knapp could be jailed for up to a year.
It is relatively rare for individuals to be tried for HIPAA violations, even when violations of the Health Insurance Portability and Accountability Act clearly appear to have taken place. Criminal convictions are even rarer. In order for a healthcare worker to be convicted in a criminal HIPAA case, prosecutors must be able to establish and demonstrate that patient health records were knowingly accessed without authorization.
This can prove difficult. In Knapp’s case, the prosecution introduced evidence of drug-related activity to help establish the motive for accessing PHI, even though Knapp was not on trial for drug-related offenses.
Criminal HIPAA Cases in Recent Years
While rare, there have been a handful of HIPAA criminal convictions in the past few years. In February 2015, Joshua Hippler was sentenced to serve an 18-month jail term for improperly accessing and wrongfully disclosing patient health information for personal gain.
A South Carolina Department of Health and Human Services employee was sentenced to three years’ probation and community service for emailing the records of 228,000 Medicare and Medicaid recipients to his personal email address.
In some cases, the penalties have been severe. In 2013, the former owner of a medical supply company was sentenced to 12 years in jail for criminal HIPAA violations and Medicare fraud. Patient data was improperly accessed and disclosed and used to commit $10.7 million of Medicare fraud.
Healthcare employees must be granted access to PHI in order to perform work duties and that carries a risk of PHI being improperly accessed, used, and disclosed. However, there are steps that can be taken to reduce the risk of PHI access rights being abused.
Healthcare organizations can take steps to reduce the opportunity for theft or snooping on health records by implementing controls to limit the data that employees can access. Healthcare workers can be allowed access to the records of patients they are authorized to treat for example, yet prevented from accessing other patients’ records.
Healthcare employees should be trained on HIPAA Rules regarding the privacy of patient records. Refresher training sessions can also be conducted to reinforce rules on data access.
It is also important for PHI access logs to be periodically checked to identify when improper access has occurred. Data access policies may not be able to prevent the improper accessing of medical records, but healthcare organizations can ensure that improper access is identified promptly to ensure that damage is kept to a minimum.