By Debra Wood, RN, contributor
A licensed practical nurse who pled guilty to wrongfully disclosing a patient’s health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both.
Andrea Smith, LPN, 25, of Trumann, Arkansas, and her husband, Justin Smith, were indicted on federal charges of conspiracy to violate and substantive violations of the Health Insurance Portability and Accountability Act (HIPAA) in December. At the time, Smith worked as a nurse at Northeast Arkansas Clinic, a multispecialty clinic in Jonesboro, Arkansas.
Smith accessed a patient’s private medical information on November 28, 2006, according to the indictment. She then shared that information with her husband, who on that same day, called the patient. Justin Smith reportedly told the patient he intended to use the information against the patient in an upcoming legal proceeding.
Northeast Arkansas Clinic has terminated Smith’s employment. The Arkansas Board of Nursing has opened a complaint and is gathering information about the situation, said Fred Knight, the board’s general council.
“What every HIPAA-covered entity needs to realize and reinforce to its employees is that privacy provisions of HIPAA are serious and have significant consequences if they are violated,” said U.S. Attorney Jane W. Duke, of the Eastern District of Arkansas, in a written statement.
In April, Smith pled guilty to wrongful disclosure of individually identifiable health information for personal gain and malicious harm. The United States dismissed the remaining count and the count against Justin Smith. Duke indicated Smith’s sentencing was expected to take place by mid-June.
“HIPAA is there to protect the rights of the patient,” said Jean Zehler, MSE, RN, BC, CNA, BC, president of the Arkansas Nurses Association. “This is something that could help people realize this is serious, and you have to be careful.”
Criminal enforcement of HIPAA is a fairly new concept, with only a handful of cases pursued since the U.S. Attorney in the Western District of Washington prosecuted the first criminal violation in 2004, Duke said.
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington, D. C., agreed, saying, “criminal prosecutions are few and far between.” McGraw was not aware of any other cases involving a nurse and said it is very rare for a nurse to violate HIPAA, and those instances that do occur are typically inadvertent lapses in judgment or careless mistakes.
In the first criminal case, a phlebotomist, Richard W. Gibson, employed by the Seattle Cancer Care Alliance, obtained a cancer patient’s personal information from the health record and used that to fraudulently obtain four credit cards, charging $9,000 to the patient’s name. That patient, Eric Drew, tracked down the perpetrator on his own, while fighting leukemia, according to an account on his Web site. Gibson pled guilty and was sentenced to 16 months in prison.
As of July 2007, the federal government has secured a few other convictions. An employee at a doctor’s office in Texas, Liz Arlene Ramierez, pled guilty and was convicted of selling confidential medical information belonging to a Federal Bureau of Investigation Special Agent to someone she believed was working for a drug trafficker. She was sentenced to six months in prison.
In 2007, the U.S. Attorney Southern District of Florida obtained the first medical privacy criminal conviction after a trial. In that case, Isis Machado, a front desk office coordinator at The Cleveland Clinic in Weston, Florida, improperly obtained Medicare information and other demographic information about Cleveland Clinic patients in Naples, Florida, and sold that information to her cousin, co-defendant, Fernando Ferrer, of Naples, for $5 to $10 each. Machado improperly obtained the patient information of approximately 1,130 patients. That data led to $7 million in fraudulent Medicare claims.
Machado pled guilty to conspiracy and testified at trial against Ferrer. Machado was sentenced to three years probation, including six months of home confinement, and ordered to pay restitution of $2.5 million. Ferrer was sentenced to 87 months in prison, three years supervised release and ordered to pay $2.5 million in restitution.
In Delaware, Linda Danyell Williams, an insurance representative employed by Hospital Billing and Collection Services in New Castle, was indicted in November 2006 for allegedly conspiring to steal the identities of more than 400 of the billing company’s clients and selling the data to Richard Yaw Adjei, who used 163 of the stolen identities to file false and fraudulent tax returns, seeking refunds from the Internal Revenue Service. Williams pled guilty to two counts.
“Long gone are the days when medical employees snooped around office files for ‘juicy’ information to share outside the office,” Duke said. “We are committed to providing real meaning to HIPAA. We intend to accomplish enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA for economic or personal gain or malicious harm.”
© 2008. AMN Healthcare, Inc. All Rights Reserved.