By: Helen Oscislawski, Principal at Attorneys at Oscislawski LLC
An Alabama woman has been slapped with criminal charges in connection with the theft of patient information from Trinity Medical Center in Birmingham, Alabama, as reported by The Birmingham News. Section 1320d-6 imposes criminal penalties where any person knowingly uses a unique health identifier or obtains or discloses individually identifiable health information in violation of HIPAA.
The young woman, identified as Chelsea Catherine Stewart, allegedly stole paper surgery schedules from a closed patient registration area at the hospital while visiting a patient. Stewart was arrested the beginning of June after hundreds of pages of the schedules were found in the house where she was staying by police in connection with an ongoing investigation for mail theft and credit card fraud.
The schedules contained the names, dates of birth, social security numbers and certain medical information of approximately 4,500 patients of the hospital. In addition to the patient information, an affidavit by postal inspector John Bailey stated there were handwritten notes with information of other individuals which could be used for identity theft and a "to-do" list of sorts for fraud. Notes allegedly read, "Get hospital records together and run credit reports on people to get info."
The notice of the theft on Trinity Medical Center's website states, "All stolen information has been recovered....The hospital has no reason to believe this information has been or will be used in a way that would cause harm." However, Trinity Medical Center will be offering free credit monitoring for those affected patients. In addition to the notice on its website, the hospital also notified affected individuals of the theft by mail. If convicted, Stewart could face the maximum criminal penalties under §1320d-6 for "intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" and up to 10 years in jail and $250,000 in penalties. Stewart also faces unrelated charges of credit card fraud and breaking into a vehicle.
The Alabama case joins a number of growing list of individuals being criminally prosecuted for violating HIPAA. Here are few more you may have heard about:
· (September 15, 2010). Paul Pepala was prosecuted in the Western District of Pennsylvania and indicted by a federal grand jury in Pittsburgh on charges of multiple illegal disclosures and use of patient health information for personal gain. Pepala, then employed at UPMC Shadyside Hospital, disclosed to others names, birth dates and Social Security numbers of patients for personal gain, in violation of HIPAA and disclosed Social Security numbers to other persons without their authorization. This information was used to file false tax returns in 2008. The maximum sentence faced by Pepala is 80 years in prison, a fine of $4,730,000, or both.
· (April 27, 2010). Huping Zhou was a licensed cardiothoracic surgeon in China employed in 2003 at UCLA Healthcare System as a researcher. On October 29, 2003, Zhou received a notice of intent to dismiss him from UCLA Healthcare for job performance reasons unrelated to his illegal access of medical records. That night, Zhou, without any legal or medical reason, accessed and read his immediate supervisor’s medical records and those of other co-workers. For the next three weeks, Zhou's continued his illegal accessing of patient records and expanded his illegal conduct to include confidential health records belonging to various celebrities. According to court documents, Zhou accessed the UCLA patient records system 323 times during the three-week period, with most of the accesses involving well recognized celebrities. In his plea agreement, Zhou admitted that he obtained and read private patient health and medical information on four specific occasions after he was formally terminated from the UCLA Healthcare System. Zhou acknowledged that at the time he viewed these patients’ medical information, he had no legitimate reason, medical or otherwise, for obtaining the personal information. Defendant was ordered to pay to the United States a special assessment of $100 dollars and pay a fine of $2,000 dollars, to be paid in full within 90 days of sentencing. The Defendant was ordered to be imprisoned for a term of 4 months on each count of violating HIPAA, to be served concurrently! Upon release from imprisonment the defendant was ordered to be placed on supervised release for a term of 1 year.
· (July 20, 2009). Dr. Jay Holland, Sarah Elizabeth Miller and Candida Griffin pled guilty to misdemeanor violation of the health information privacy provisions of HIPAA based on their accessing a patient’s record without any legitimate purpose. The patient in this case was a celebrity news anchor who was shot and brought in to the hospital where the Defendants worked. The Defendants accessed the patient’s record multiple times “out of curiosity” and solely because she was a public figure. Each faced one year probation, $5,000 fine, $25 special assessment
· (December 4, 2008). Andrea Smith accessed a patient’s private medical information on November 28, 2006 and shared that information with her husband, who on that same day called the patient and reportedly told the patient he intended to use the information against the patient in an upcoming legal proceeding. In April, Smith pled guilty to wrongful disclosure of patient health information for personal gain and malicious harm. She was sentenced to 2 years probation, and 100 hours community service.
