Violations of HIPAA regulations, failures to ensure compliance and for accidentally causing the privacy of patients to be compromised will lead to healthcare organizations facing heavy fines. Criminal charges may also be filed if it can be proven that data was viewed or copied for personal profit or gain, as is the case with a former hospital member of staff from East Texas.
The Office of the Inspector General of the U.S. Department of Health and Human Services carried out an investigation on a former staff member of an East Texas hospital in conjunction with the U.S. Postal Inspection Services and found evidence of criminal activity.
The hospital employee is believed to have obtained Protected Health Information (PHI) while working at the hospital between December 1, 2012 and January 14, 2013. The individual has now been indicted for criminal violation of the Health Insurance Portability and Accountability Act and faces a charge of Wrongful Disclosure of Individually Identifiable Health Information.
The illegal theft or use of PHI for personal gain or to cause malicious damage is relatively rare, although there have been some notable cases over the past 10 years. The penalties are stiff for the offender and if proven guilty sentences of up to 10 years in jail can be ordered in along with financial penalties.
The incident serves as a warning to healthcare organizations to be aware of internal dangers to data security in addition to implementing measures to protect data against unlawful access by external third parties.
Internal data breaches are deemed HIPAA violations and the organization responsible for the staff member can also be held accountable for any data breach or theft. As part of HIPAA compliance audits access rights of staff to databases containing PHI must be reviewed and access restricted. A record or account of staff training on HIPAA compliance must also be kept and the obligations under HIPAA should be effectively communicated to all staff.