A former respiratory therapist was convicted of wrongly accessing individually identifiable health information by a federal jury on June 23 of this year. The charges claimed that the therapist was using the information to seek, obtain, or use intravenous drugs.
The therapist, Jamie Knapp, age 26, was employed at ProMedica Bay Park Hospital in Oregon, Ohio. Prosecutors allege that Knapp had been wrongfully accessing patients’ protected health information (PHI) from May of 2013 until March of 2014. Over that time, she is said to have accessed approximately 596 ProMedica patients’ data–a massive breach of patients’ rights to privacy under HIPAA.
According to ProMedica, Knapp was authorized to access the PHI of a select group of patients as per her organizational role. HIPAA regulation outlines “minimum necessary disclosure” rules that govern how much PHI can be disclosed to them over the course of their work. Usually, this access is limited based on the scope of an employee’s role within an organization by HIPAA-mandated policies and procedures.
HIPAA criminal convictions are levied sparingly. Over the course of their investigation, the Office for Civil Rights (OCR) must be able to prove that the suspected individual has knowingly accessed or disclosed PHI and that they’ve done so without lawful authorization. Because of the difficulty in proving these two factors, HIPAA criminal penalties are usually saved for instances when PHI is being used to commit identity theft or fraud–making them all the more serious when they happen.
Director of OCR, Jocelyn Samuels, went on record in February of 2016, saying that: “While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”
HIPAA enforcement is entering a new era of stricter fines and prosecution. The Department of Health and Human Services (HHS) OCR has made it clear that they will continue to pursue serious HIPAA violations, with plans to implement a permanent audit program in the coming years.
Organizations should ensure that they have reviewed their policies and procedures annually in order to prevent PHI breaches like this in the future. In addition, employees need to be trained on these policies and procedures in order to ensure that they understand what kind of access is or is not appropriate based on the role they play within their organization. Even though rogue employees can still choose to violate these policies, organizations that have followed through with comprehensive compliance plans can protect themselves from liability in the unfortunate event that something like this occurs.