HIPAA Criminal Violations on the Rise

Stories appear almost everyday about medical records being improperly accessed, hacked or otherwise being stolen.  The number of stories about such thefts is almost matched by the number of stories about the high value placed upon medical records by identity thieves and others.  This confluence of events highlights the pressure being faced by the healthcare industry to protect the privacy and security of medical records in all forms.

While stories about hacking and other outside attacks garner the most attention, the biggest threat to a healthcare organization’s records is most likely an insider.  The threat from an insider can take the form of snooping (accessing and viewing records out of curiosity) to more criminal motives such as wanting to sell medical information.  Examples of criminally motivated insiders, unfortunately, are increasing.

One recent example occurred at Montefiore Medical Center in New York where an assistant clerk allegedly stole patient names, Social Security numbers, and birth dates from thousands of patients.  The hospital employee then sold the information for as little as $3 per record.  The individuals who acquired the information used it to allegedly go on a shopping spree across New York for over $50,000.

Another recent example comes out of Providence Alaska Medical Center in Anchorage, AK.  In Anchorage, a financial worker at a hospital provided information about a patient to a friend.  Unfortunately, that friend he had injured for which he was under criminal investigation.  The friend wanted to know if either of the patients had reported him to the police.  Clearly, the access by the financial worker was improper.

While it could previously be said that instances of criminal convictions or indictments were rare, the examples do appear to be coming with increasing frequency.  What should organizations do?  Is this conduct actually preventable?  As is true with HIPAA compliance generally, the key is to educate and train members of an organization’s workforce.  If someone is unaware of HIPAA requirements, it is hard to comply.

However, it can also be extremely difficult to prevent criminal conduct altogether.  If an individual has an improper motive, that individual will likely find a way to do what they want to do.  From this perspective, organizations cannot prevent the conduct, but should consider what measures can be taken to mitigate the impact of improper access or taking of information.  It would be a good idea to monitor and audit access or use of information to be able to catch when information could be going out or otherwise accessed when not appropriate.  Overall, the issue becomes one of how well does an organization monitor its systems and take action when a suspected issue presents itself.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, EMR, HIPAA and tagged , , . Bookmark the permalink.

One Response to HIPAA Criminal Violations on the Rise

  1. Julie says:

    I was the victim of a HIPAA Violation. A doctor who was a predator accessed my medical records over 500 times in 18 months and printed them 30 times. He stalked me and sexually assaulted me outside the hospital. Other than being fired from the hospital nothing happened to him. The medical board has been investigating along with the Office of Health Information and Integrity in Sacramento, CA since 2013 and nothing has happened with these two organizations. HIPAA to me is a false sense of security and our justice system is messed up.
    Thank you for your article.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s