A former University of Pittsburgh Medical Center (UPMC) employee was indicted by a federal grand jury for criminal HIPAA violations.
The Pittsburgh federal grand jury charged the former patient information coordinator with six counts of wrongfully obtaining and disclosing protected health information (PHI). HIPAA regulation defines PHI as any demographic information that can be used to identify a patient. The UPMC employee used her position to illegally obtain access to the PHI of 111 individual patients between March 30, 2016, and August 14, 2017, resulting in criminal HIPAA violations.
The UPMC employee was also charged with four separate occasions of wrongfully disclosing the PHI of three individuals, between December 30, 2016, and August 11, 2017. The indictment claims that these occasions were perpetrated with the intent to cause malicious harm–although the court documents do not specify the harm that she intended.
The employee’s work between UPMC, UPMC affiliate Tri Rivers Musculoskeletal Centers, and Allegheny Health Network gave her access to PHI in each organization’s electronic health records (EHR) systems. Her authorization allowed her to access PHI “as necessary to provide services to patients or as otherwise authorized by a patient or the law.”
The U.S. Department of Justice (DOJ) included in their statement on June 29, 2018 that the former UPMC employee faces a potential maximum sentence of 11 years in prison, a $350,000 fine, or both. The accused was expected to post unsecured bond of $10,000 on June 28, court records show.
The indictment comes from the result of an FBI investigation into the matter. Assistant U.S. Attorney Carolyn Bloch is prosecuting the case on behalf of the United States Government. An indictment is simply an accusation, leaving the defendant presumed innocent until proven guilty. Further details of the employee’s next court date were not made available.
New Trends in HIPAA Enforcement
This case is just one of a number of high profile criminal HIPAA indictments and convictions over the past few years. Former Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Jocelyn Samuels is on record stating that “While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”
Threats of enforcement from federal regulators is now paired with criminal indictments, and even the growing threat of civil HIPAA lawsuits. Earlier in 2018, a physician was charged with criminal HIPAA violations–proving this isn’t only a threat faced by lower-level employees. HIPAA violations are becoming an ever-present risk faced by health care professionals of every size and scope.
Here at Compliancy Group, we help health care organizations train their individual employees to become and remain HIPAA compliant through our web-based software, The Guard. Our clients are able to Achieve, Illustrate, and Maintain their compliance with our simple and affordable service. Find out how you can simplify your compliance today with Compliancy Group!