Texan prosecutors recent;y filed an indictment in the Tyler District Court against Joshua Hippler, a 30-year-old former worker at an unnamed hospital in East Texas. In accordance with the Health Insurance Portability and Accountability Act of 1996, individuals and covered bodies can face criminal charges for violations of HIPAA Privacy and Security Rules. The case was filed earlier in 2014 but it was sealed until July 3.
Mr Hippler is charged with one count of violations of HIPAA Rules after he stole medical records from the hospital where he was emplyed. According to a statement issued to Security Media Group, and reported on databreachtoday.com, a spokesperson for the Department of Justice stated “We cannot comment on how many patient records, his job, employer or the nature of the violation in detail as this is an ongoing investigation,” she says. “The violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records. Although criminal HIPAA charges are uncommon, our decision to charge Hippler is not based on any DOJ directive or crackdown.”
The case will begin on Sept 3, 2014, and if found guilty, Hippler could be issued with a penalty of $250,000 and could face up to 10 years in jail.
Even though criminal charges can be pressed, to date there have been few cases that have gone to court. Court cases are usually reserved for cases of medical or identity fraud, and in this case, while there may have been intent to sell the information does not seem to have been disclosed to other individuals.
Most cases of improper disclosure of medical information involve no malicious intent and many involve accidental disclosure of PHI. Many of these cases also involve multiple members of the work force and arise out of a lack of training on HIPAA Privacy and Security Rules, with the institution itself responsible for the majority of cases for failing to provide training as required under the Security Rule Administrative safeguards.
However, the value of healthcare data coupled with poor security standards in many hospitals is proving tempting for many workers and each year there are numerous cases of improper accessing of medical records by hospital staff.
While a criminal case such as this cannot make up for a data breach, it does bring the matter to the attention of the media and sends a warning to healthcare workers that the theft of PHI will not be tolerated. Action can, and is taken against people that violate the privacy of patients by accessing or stealing their healthcare information and personal identifiers, and the sanctions for these actions can be severe.
This incident should also send a message to healthcare organizations that they must take patient privacy seriously and put in place policies and procedures to protect the data they hold on patients. Not only can criminal charges be sought against workers for snooping on patient data, the organizations that these people work for could also face stiff financial penalties if it is found that they have not provided training on HIPAA Privacy and Security Rules or have not instructed their workforce of the consequences of breaching HIPAA Rules.