Tip

HIPAA criminal convictions outpace sanctions

This is part of a continuing series. Read part 1, "HIPAA enforcement getting stronger" and part 2, "HIPAA

    Requires Free Membership to View

enforcement, more government audits leading to more convictions."

Despite the huge number of Health Insurance Portability and Accountability Act complaints, as of Feb. 25 there have been only two noncompliance sanctions applied by the U.S. Department of Health and Human Services, compared with eight HIPAA criminal felony convictions. All eight of the criminal convictions were basically the result of insiders abusing authorized access to protected health information (PHI) in order to commit crimes. The insider threat has always been significant. It is likely to become even more of a concern.

HIPAA criminal convictions
Date Situation Penalty
December 2008 Andrea Smith of Trumann, Ark., convicted of accessing and disclosing a patient's health information from her place of employment for personal gain. Sentenced to two years probation and 100 hours of community service.
May 2008 Leslie A. Howell, who worked at an Oklahoma City counseling center, gave patient files to Ryan Jay Meckenstock and Nicole Lanae Stevenson, who used the files "to make counterfeit identification papers that helped them obtain merchandise and credit from a number of retailers." Sentenced to 14 months in prison.
February 2008 Meckenstock and Stevenson used stolen patient files from Howell, as well as from stolen and discarded mail, Internet searches, credit reports and car burglaries, to produce counterfeit identification documents (IDs) to obtain merchandise and credit from various merchants. Meckenstock was sentenced to serve 119 months in federal prison. Stevenson was sentenced to serve 168 months in federal prison. Each defendant was ordered to pay $101,896.39 in restitution to the victims.
January 2007 Isis Machado, an employee at the Cleveland Clinic in Weston, Fla., was charged with obtaining computerized patient files and downloading individually identifiable health information of more than 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer Jr., owner of Advanced Medical Claims Inc. in Naples, Fla. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims. Machado and Ferrer were each found guilty of conspiring to defraud the United States, one count of computer fraud and one count of wrongful disclosure of individually identifiable health information. Ferrer was sentenced to 87 months in prison, to be followed by three years of supervised release, and must pay $2.5 million in restitution. Machado was sentenced to three years probation, including six months of home confinement, and ordered to pay $2.5 million in restitution.
March 2006 Liz Arlene Ramirez was convicted for selling individually identifiable health information about an FBI agent to a drug trafficker in exchange for $500. Sentenced to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.
August 2004 Richard Gibson, an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients, stole patient information and used it to obtain credit cards in that patient's name, then used them to receive cash advances and to purchase various items, including video games, home improvement supplies, apparel, jewelry and gasoline valued at $9,139.42. Signed a plea agreement and was convicted and sentenced to 16 months in prison. As part of his plea bargain, Gibson agreed to make restitution to the credit card companies whose cards he had used to make illegal purchases and to the victim of his identity theft.
HIPAA noncompliance sanctions
Date Company Situation Penalty
Feb. 18, 2009 CVS Disposal of PHI $2.25 million, information security improvements and ongoing audits.
July 2008 Providence Health & Services Loss of electronic backup media and laptop computers containing individually identifiable health information. $100,000, plus implementation of a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

This was first published in March 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.