Criminal prosecutions for HIPAA violations made by hospital employees are a relatively uncommon occurrence; but the recent spate of HIPAA prosecutions over the past few years suggests that has now changed. Another case of improper accessing of PHI has resulted in criminal charges for HIPAA violations being brought against an employee, this time a healthcare provider that worked at the ProMedica Bay Park Hospital in Oregon, Ohio.
Criminal Prosecutions for HIPAA Violations are Rare
The former respiratory therapist, Jamie Knapp, is alleged to have improperly accessed the medical records of close to 600 patients. Knapp was indicted on charges of unlawfully obtaining identifiable health information of 596 patients, which is a violation of the HIPAA Privacy Rule. She was also charged with unauthorized access of a protected computer, the latter being a federal violation.
The hospital investigated access logs and determined that between April 1, 2013, and April 1, 2014 Knapp had accessed records that she had no legitimate reason to view. It is not clear why Knapp accessed those records and if she did so and copied information with intent to sell or use it to defraud.
However, Knapp was permitted to access patient health records of her patients. It is not clear if during the course of her work duties if the patients’ health records that she legitimately accessed were copied. Were that to be the case, the number of potential victims could be much higher.
If the prosecutors establish that the records were accessed and information was stolen for personal gain the maximum penalty is 10 years in prison and a fine of up to $500,000. Breach notification letters have now been sent to all affected individuals to advise them that their medical records may have been viewed and copied and to monitor their credit and EOB statements for signs of fraudulent activity. The letters started being dispatched on May 28th.
Criminal Prosecutions for HIPAA Violations Likely to Increase
Healthcare organizations are now under the spotlight given the number of data breaches that are occurring. According to the Identity Theft Resource Center Breach Report published in January, between 2013 and 2014 there was a 27.5 percent increase in the number of reported data breaches, and since its records began in 2005 a total of 675 million records have been breached across all industries. Given the fact that the population of the United States is 320 million, that is more than two data breaches per citizen.
Healthcare organizations suffering data breaches must abide by the HIPAA Breach Notification Rule, with the Office for Civil Rights, state attorney generals and other government organizations now taking action against organizations – and individuals – that breach HIPPA rules and access or divulge Protected Health Information. Penalties are also issued when covered entities fail to implement the necessary safeguards to protect it. The days of lax standards of privacy and security are gone, and now the vast majority of healthcare providers have made the move to electronic health records, data security standards must be even higher.
Criminal prosecutions for HIPAA violations punish employees who breach HIPAA Privacy Rules; however action can also be taken against healthcare providers in such cases. The Department of Health and Human Services’ Office for Civil Rights (OCR) must be informed of breaches of PHI via the breach reporting portal on the HHS website. The OCR investigates data breaches and may choose to investigate a healthcare provider that reports a breach if there are indications that it resulted from non-compliance with HIPAA Rules.
OCR investigations have been launched for relatively small data breaches involving less than 500 individuals, and in some cases just a handful of records have been exposed. They have, however, been just the tip of the iceberg with numerous violations of HIPAA Rules uncovered by OCR investigators.
The OCR can fine organizations up to $1.5 million for each violation of HIPAA Privacy, Security and Breach Notification Rules, multiplied by the number of years that violation has been allowed to persist.
One of the best ways to reduce the risk of a violation as a result of staff snooping on PHI is to provide training to all staff on HIPAA Rules and Regulations covering PHI, the accessing of medical records, and the disclosure of medical information. Staff required to come into contact with PHI must be advised of the repercussions of improper access, and that they can include criminal prosecutions for HIPAA violations; not only termination of employment. Training should ideally be provided by an external accredited agency.