HIPAA criminal convictions outpace sanctions

Despite the huge number of Health Insurance Portability and Accountability Act complaints, as of Feb. 25 there have been only two noncompliance sanctions applied by the U.S. Department of Health and Human Services, compared with eight HIPAA criminal felony convictions. All eight of the criminal convictions were basically the result of insiders abusing authorized access to protected health information (PHI) in order to commit crimes. The insider threat has always been significant. It is likely to become even more of a concern.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange Compliance Tips Business Model for Information Security: Security right the first time Effective compliance document management in five days FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners Priorities for your sound regulatory compliance management policy Data loss prevention technology matures but is still no cure-all Threat management for information systems relies on categorization HIPAA-covered entities' first step should be a quality assurance plan Discovery of data breach under HITECH raises big compliance questions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

101,896.39 in restitution to the victims.
January 2007 Isis Machado, an employee at the Cleveland Clinic in Weston, Fla., was charged with obtaining computerized patient files and downloading individually identifiable health information of more than 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer Jr., owner of Advanced Medical Claims Inc. in Naples, Fla. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims. Machado and Ferrer were each found guilty of conspiring to defraud the United States, one count of computer fraud and one count of wrongful disclosure of individually identifiable health information. Ferrer was sentenced to 87 months in prison, to be followed by three years of supervised release, and must pay $2.5 million in restitution. Machado was sentenced to three years probation, including six months of home confinement, and ordered to pay $2.5 million in restitution.
March 2006 Liz Arlene Ramirez was convicted for selling individually identifiable health information about an FBI agent to a drug trafficker in exchange for $500. Sentenced to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.
August 2004 Richard Gibson, an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients, stole patient information and used it to obtain credit cards in that patient's name, then used them to receive cash advances and to purchase various items, including video games, home improvement supplies, apparel, jewelry and gasoline valued at $9,139.42. Signed a plea agreement and was convicted and sentenced to 16 months in prison. As part of his plea bargain, Gibson agreed to make restitution to the credit card companies whose cards he had used to make illegal purchases and to the victim of his identity theft.
HIPAA noncompliance sanctions Date Company Situation Penalty
Feb. 18, 2009 CVS Disposal of PHI $2.25 million, information security improvements and ongoing audits.
July 2008 Providence Health & Services Loss of electronic backup media and laptop computers containing individually identifiable health information. $100,000, plus implementation of a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

Rate this Tip To rate tips, you must be a member of SearchCompliance.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.