News: Latest HIPAA criminal case suggests more aggressive tact

September 1, 2008

A nurse employed by a clinic was charged for allegedly wrongfully disclosing a patient's protected health information and using it for personal gain and malicious intent.

In what is believed to be only the fourth criminal case brought under the Health Insurance Portability and Accountability Act (HIPAA), a nurse employed by a clinic was charged for allegedly wrongfully disclosing a patient's protected health information and using it for personal gain and malicious intent. The case is of particular interest because Department of Justice guidelines issued in 2005 suggested that HIPAA-covered entities, such as hospitals, health insurers, and physicians, would face criminal penalties for unauthorized disclosures but not necessarily individuals, such as employees or a covered physician's "business associates" (outside entities, vendors, and individuals). Yet in this case, an employee, but not the covered entity for which she worked (Northeast Arkansas Clinic) was charged, according to American Medical News (7/14/08). The litigation therefore seems to signal more aggressive efforts by the government to root out privacy breaches and a willingness to prosecute individuals when they use protected health information for personal benefit.

According to the indictment in the Arkansas case, Andreas Smith accessed the private medical information of a clinic patient and disclosed that information to her husband. Justin Smith then told the patient that he intended to use the private information in an upcoming legal indictment. In a plea agreement, Andrea Smith pleaded guilty to wrongful disclosure of individually identifiable health information for personal gain and malicious harm, and in return the United States dismissed two other charges against Smith and charges against her husband. Smith faces a maximum penalty of 10 years in prison, a fine of not more than $250,000, or both, and a term of supervised release.

According to legal experts, health-care entities are unlikely to face criminal sanctions for an unlawful disclosure by an employee if they have adequate protection in force or are unaware of the violation. Northeast Arkansas Clinic, for example, says it has "stringent policies in place to deal with HIPAA violations." As soon as it received a complaint from the patient whose privacy was violated, the clinic conducted an internal investigation and immediately terminated Smith. Legal observers warn, however, that physician offices dealing with a privacy breach by an employee are also exposed to state civil liability claims brought by patients.