Under the HIPAA Privacy Rule, healthcare workers face potential jail time for knowingly obtaining PHI without patient authorization. Recently, a New York cancer center nurse accessed patient records without authorization, to find patients who had been prescribed certain drugs. The nurse then stole the drugs. Her actions resulted in revocation of her medical license and jail time. Details of this HIPAA prescription theft are discussed below.
HIPAA Prescription Theft: A Recipe for Jail – Violation of the HIPAA Privacy Rule
The story of HIPAA prescription theft begins with nurse Kelsey Mulvey’s working for Roswell Comprehensive Cancer Center (Roswell), near Buffalo, New York. While she worked there, she had access to vials of patient medication from a Pyxis machine, which automatically dispenses prescriptions. The Pyxis system identified a large number of transactions as “canceled removed,” meaning that the machine drawer for a selected medication was accessed, but the transaction was cancelled.
Roswell investigated the matter and concluded that Nurse Mulvey had removed and replaced controlled substances from the machine, replacing the medication vials with water. Many of these transactions took place in parts of the Cancer Center to which the nurse was not assigned, and had no patients. Roswell’s investigation also found that Nurse Mulvey had accessed the Pyxis machine on days she was scheduled to work, and on days when she was not scheduled to work, including vacation days.
In 2019, the United States Attorney’s Office charged Nurse Mulvey with theft of controlled substances, including hydromorphone, methadone, oxycodone, and lorazepam. All of these drugs were meant to have been administered to cancer patients. Nurse Mulvey was charged with failure to administer pain medication to 81 patients between February 2018 and June 2018. In addition, the complaint alleged, in June and July 2018, there was a span of waterborne infections at Roswell. The complaint therefore also alleged that six patients became infected as a result of the nurse’s replacing medications with contaminated water.
The nurse was also charged with tampering with a consumer product, acquiring controlled substances by fraud, and criminal violations of the HIPAA Privacy Rule. Federal law makes knowingly obtaining of PHI without authorization a crime. If the offense is committed with intent to use the PHI for personal gain, a defendant faces a fine of up to $250,000, and imprisonment of up to ten years. If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, they can be fined not more than $250,000, imprisoned not more than 10 years, or both.
HIPAA Prescription Theft: A Recipe for Jail – Penalties
As part of a plea deal entered into with prosecutors, Nurse Mulvey admitted to accessing patient records without authorization, to find patients who had been prescribed the pain medication she stole. She then admitted to refilling the prescription vials with water. Nurse Mulvey’s pleading guilty to one count of tampering with a consumer product, resulted in a sentence of up to a maximum of 97 months in jail, supervised release at the end of the jail term, and payment of restitution to victims.
Noted FBI Buffalo Field Office Special Agent, Stephen Belongia, on March 10, 2021, “Kelsey Mulvey’s plea today to tampering with powerful narcotics intended to ease the suffering of cancer patients here in Buffalo painfully resonates with the thousands of families who have personally faced the challenges and torment that comes with the crippling affliction of cancer.
Although the pain of addiction takes its own toll on those who suffer from it, it cannot and does not excuse medical professionals who intentionally compromise the health and comfort of cancer patients who deserve to receive safe and unadulterated medication meant to ease their pain.”
