First Criminal Sanctions Issued in HIPAA Records Snooping Case
Federal HIPAA laws and rules governing the confidentiality of health information restrict how that information can be used and disclosed. Although it is fine to use data for treatment, payment and health care operations purposes, it is not legal to view patient records merely out of curiosity – something a doctor and two former hospital employees in Arkansas learned the hard way, in the first HIPAA case in which sanctions were issued for records “snooping.”
In October 2008, an Arkansas television anchorwoman was found brutally beaten in her home. She was taken to a hospital, where she later died from her injuries. After watching news reports on television about the attack, a physician who worked at the hospital logged in to the hospital’s patient records database from his home computer to see if the news reports were accurate.
According to a July 20, 2009 press release issued by the United States Attorney’s office for the Eastern District of Arkansas, the physician “stated that he then logged off the computer admitting that it was inappropriate for him to be looking at the file.” The physician had been trained in HIPAA’s requirements and “understood that he was violating HIPAA when he accessed the file.”
Another person who looked at the patient’s files was an account representative at the hospital. She admitted that, during a two-day period, she viewed the patient’s files approximately 12 times, also out of curiosity.
An emergency room unit coordinator with secretarial responsibilities was told to set up an alias for the patient when the patient was admitted to the emergency room. The coordinator became curious about the patient’s condition and accessed the medical chart three times to see if the patient was still alive.
Sentencing and Other Consequences
The hospital suspended the physician’s privileges for two weeks and required him to take a HIPAA on-line training course. The account representative and the emergency room unit coordinator were both fired. In July 2009, each of these individuals pled guilty to misdemeanor violations of HIPAA.
Although the discipline imposed on the physician by the hospital was less severe than that meted out to his colleagues, the physician’s criminal penalties – announced on October 26, 2009 – were slightly more severe. All three individuals were sentenced to a year of probation, but the physician also received a $5,000 fine and 50 hours of community service. (The latter will involve educating professionals about HIPAA.) The account representative received a $2,500 fine, and the emergency room unit coordinator must pay a $1,500 fine.
Commenting on the sentences, U.S. Attorney Jane Duke said, “We hope today’s sentencings send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information."