Breaching the privacy of a patient’s records could send her to jail and jeopardize the entire clinic.
What began as “harmless” poking through medical records ended in an arrest and possible jail time for a licensed practical nurse who shared a patient’s medical information. She put her physician-employer in jeopardy too.
Ms. A, 29, had worked at a midsize regional clinic for five years. While she enjoyed her job and got on well with Dr. P, her supervisor, she was known to bemoan what she saw as low pay and to mention that she and her husband were suffering some financial strain. That strain intensified when her husband was in an auto accident and then sued by the people in the other car seeking compensation for their injuries.
One day, as Ms. A was flipping through charts to straighten up the files, she came across a chart bearing the name of the plaintiff in her husband’s lawsuit. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file.
That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she’d taken earlier. “I think these will help,” she said.
The following day, Mr. A phoned the man who was suing him. During the conversation, Mr. A made it known that he had medical information which he believed weakened the man’s case. Mr. A suggested that the man consider dropping the lawsuit.
After getting off the phone with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.
The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.
After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed the staff that no breach of these laws would be tolerated under any circumstances.
Meanwhile, Ms. A’s problems were just beginning. The district attorney forwarded the patient’s complaint to a federal prosecutor, and within a month both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering.
The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. After a great deal of soul-searching, Ms. A pleaded guilty to one count of wrongful disclosure. In exchange, the charges against her husband were dismissed.
Ms. A is currently awaiting sentencing. She faces up to 10 years in prison, a fine as high as $250,000, and as many as three years of supervised probation. Meanwhile, the state nursing board is seeking to revoke her license.
Since HIPAA went into effect in 2003, more than 34,000 complaints of privacy violations have been filed. Most of these complaints (approximately 80%) have been resolved.
About 400 of the unresolved cases have been referred to the federal Department of Justice, but only a handful have been prosecuted. This is likely to change, however, as violations are taken more seriously and the government gears up for these types of cases.
While some HIPAA violations are inadvertent—a stolen laptop with patient records on it, for example, or a computer glitch that reveals information on the Internet—Ms. A’s violation struck at the heart of what HIPAA is supposed to prevent. She accessed patient records, gathered information, and then provided that information to someone else, knowing full well that it would be used against the patient’s interest. Her prosecution was meant to set an example and warn HIPAA-covered entities that the regulation is serious and must be upheld.
Ms. A’s actions could have put the clinic itself in danger of prosecution, but management handled the situation in the best way possible:
—Dr. P fired her on the spot after the patient notified him of the breach.
—Then, without delay, he called a meeting to educate staff members—both clinical and clerical—about HIPAA, its purpose, the importance of patient privacy, and what can happen in the event of a violation.
As an employer, it is essential that you not wait for an incident. The best way to protect yourself is to ensure that your employees understand HIPAA regulations.
—Educate your employees upon hire and periodically thereafter.
—Keep written records detailing clinic policy and include it in all employee manuals or handbooks.
Ms. Latner, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.