Former Therapist Charged in HIPAA CaseFaces Charges Tied to Inappropriate Access to Records
A former respiratory therapist at an Ohio hospital has been indicted for HIPAA violations in connection with alleged inappropriate access to the records of nearly 600 patients.
The indictment of Jamie Knapp, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, is one of only a handful of criminal prosecutions of individuals for HIPAA violations.
"Overall, criminal prosecutions under HIPAA have not been that common, although we have seen an increase in recent years," says privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL. "I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching."
According to indictment documents filed this month in a federal court in Ohio, a grand jury indicted Knapp for unlawfully obtaining identifiable health information of 596 patients in violation of HIPAA. The grand jury also charged Knapp with unauthorized access of a protected computer, in violation of federal laws.
"In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients," according to the indictment. "Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients."
Federal prosecutors involved in the case did not immediately respond to Information Security Media Group's request for more details about the alleged HIPAA violations.
Accessing protected health information without authorization and the disclosure of this information to a third party carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain, Ganow says.
On May 28, 2014, ProMedica, the parent company of the 72-bed hospital where Knapp worked, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014 (see Police Investigating Insider Breach). The breach was also reported to the U.S. Department of Health and Human Services, which has listed the incident on its "wall of shame" website of major breaches as an unauthorized access/disclosure incident involving electronic medical records and a network server.
Other HIPAA Cases
There have been only a handful of other HIPAA-related indictments of individuals that have resulted in convictions and prison sentences.
"Most recently, we saw the criminal conviction of hospital employee Joshua Hippler in Texas for wrongful disclosure of individually identifiable health information for personal gain," Ganow notes. In February, Hippler was sentenced to serve 18 months in prison after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case).
Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital, where he obtained protected health information with the intent to use it for personal gain.
In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.
Ganow predicts prosecutors will pursue more of these criminal HIPAA cases. "As long as the healthcare industry continues to actively use Social Security numbers and not take steps to redact them or commit to a minimum use policy, we will see increased criminal activity and related prosecutions," he says. "Because healthcare records have names, dates of births and SSNs, they are a tempting target for one-stop shop identity thieves. "
Still, there are steps that healthcare entities can take to minimize insider breaches.
"It's not enough to have your policies, procedures and safeguards in place. You have to continually assess your security posture for new threats or new risks as a result of a new use of information," he says.
"In some instances, such as transactions under the Affordable Care Act, SSNs are required and a necessary evil because of tax implications. That said, healthcare entities would do well to isolate SSNs from other data, encrypt or redact SSNs whenever possible, and embrace the 'minimum necessary' use principle under HIPAA to mitigate risks to SSN's and all PHI," Ganow suggests.
"Technology can only do so much. Data governance still comes down to people," he adds. "Train employees well and audit their compliance. We stress to clients that data privacy and security is everyone's business. You will always have bad actors, but you can prevent their bad acts or mitigate resulting harms from such bad acts with solid policies, procedures, training and oversight."