HIPAA Criminal Prosecutions on the RiseThe Latest: Ex-Hospital Worker Gets 3-Year Prison Sentence
A former Tampa General Hospital worker has been sentenced to 37 months in federal prison in a case involving criminal HIPAA violations and tax fraud.
Some privacy and security experts say such prosecutions of HIPAA cases could be on the rise - especially when the violations are tied to other crimes. The Tampa case joins a handful of other recent cases involving insiders who also received prison sentences for their illegal access or disclosure of patient data.
"HIPAA criminal cases are rare, but the Department of Justice will bring them if it turns out that insiders are using protected health information for improper purposes - like identity theft, Medicare fraud, tax fraud, or selling to the media," notes privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "
In a statement, the U.S. Department of Justice says a U.S. district court judge on Aug. 3 sentenced Shanakia Benton, a former worker at Tampa General Hospital to 37 months in federal prison for wrongful disclosure of individual identifiable health information and wire fraud.
As part of her sentence, Benton was ordered to pay $77,239 related to the proceeds of the wire fraud. She pleaded guilty on May 2, 2016.
Prosecutors say in court documents that Benton had access to the personal health information of thousands of patients. "She regularly received training regarding HIPAA, which prevents the unauthorized disclosure of personal health information," the justice department says in its statement.
"Despite her training, between June 2011 and December 2012, Benton illegally accessed the personal information of more than 600 TGH patients. Benton and her accomplices then used that information to file at least 29 false tax returns seeking refunds totaling $226,000."
Benton was a unit customer service representative who provided clerical assistance at the hospital, says a Tampa General Hospital spokesman.
The hospital has taken a number of measures to boost data security and privacy, "but not just because of the incident," he says.
"We are keenly aware of the threats everyone faces from hackers and criminals, and we always make use of the latest security enhancements," he says. "Without going into specifics, we now have tools to mask the kinds of information sought by identity thieves. We believe the enhanced security of our electronic medical records, combined with the handing down of stiff federal prison sentences and fines, acts as a deterrent that did not exist at the time this crime took place."
More to Come?
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says there likely will be more prosecutions of cases involving alleged criminal HIPAA violations.
Identity theft, including filing of false tax returns, is not going away," he says. "When the crime occurs through the use of a healthcare provider's protected health information, prosecutors may be getting more comfortable using HIPAA's criminal provisions as a means to prosecute these crimes."
The sentencing of Benton in the Tampa General Hospital case follows the recent conviction of another former healthcare worker at a different hospital in Ohio.
In June, a federal jury in Ohio convicted Jamie Knapp, a former respiratory therapist at ProMedica Bay Park Hospital in Oregon, Ohio of wrongly obtaining individually identifiable health information. Prosecutors claimed the therapist was using the patient information for seeking, obtaining or using intravenous drugs (see Respiratory Therapist Convicted in HIPAA Criminal Case).
In that case, indictment documents said that from May 10, 2013 to about March 25, 2014, Knapp wrongfully obtained computerized PHI of approximately 596 ProMedica patients. Prosecutors said that in her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information of certain respiratory patients, but she accessed the HIPAA-protected information of others without authorization.
Knapp faces up to one year of prison. Her sentencing is tentatively slated to occur no sooner than in October.
Also among other recent criminal HIPAA prosecutions was a case involving Joshua Hippler, an employee of an unidentified hospital in East Texas. In February 2015, Hippler was sentenced to serve 18 months in prison after pleading guilty to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case). Federal prosecutors in that case said that Hippler used his position as a hospital employee to obtain PHI with the intent to use it for personal gain.
In one of the harshest sentences handed out so far in a HIPAA-related case, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced in April 2013 to serve 12 years in prison in a case that also involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations.
Healthcare organizations should take notice of the emerging trend involving criminal cases being filed against employees, Greene says. "For healthcare providers, this [Benton] case is a reminder that, while much of the past year's headlines have focused on external cyberattacks, insider threats remain prevalent," he says.
"Organizations should consider where they have Social Security numbers and other information at high risk for identity theft, whether there are ways to further reduce access to such information, and how best to automatically monitor for any suspicious patterns of access."
Healthcare attorney Betsy Hodge of the law firm Akerman LLP urges covered entities and business associates to pay equal attention to threats outside their organization - such as ransomware - and the internal risks that their current or former employees and contractors pose to the privacy and security of PHI.
"Earlier this month, the [Department of Health and Human Services] Office for Civil Rights issued guidance stating that insider threats are becoming 'one of the largest threats to organizations' and providing recommendations for mitigating the possibility of theft of electronic PHI or fraud involving ePHI by employees and contractors," she notes (see Advice on Spotting Insider Threats).
"The fact that OCR chose the topic of insider threats for its August newsletter suggests that it is seeing an increasing number of incidents involving breaches by current or former employees of covered entities and business associates."
Warning to Workers
Recent criminal HIPAA cases should also serve as a wake-up call for healthcare workers involved in nefarious activity, Nahra says. "Employees should know that they are being monitored, and that they will get caught, that they likely will be fired ... and could be prosecuted," he says.
But of course, not all HIPAA violation cases involving employees encompass criminal activity, he notes. "These prosecutions are for inherently bad things - they aren't for sending a fax to the wrong number or disclosing mistakenly to a parent about a child, or any other slip-up or honest mistake," Nahra says. The criminal cases involve "issues that people know are wrong - no one commits tax fraud because they weren't trained properly," he says.
"Employers also need to know that these kinds of activities can happen - they need to monitor, audit, educate, inform, train, and make sure people know they will get caught," Nahra says.