By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Despite the huge number of Health Insurance Portability and Accountability Act complaints, as of Feb. 25 there have been only two noncompliance sanctions applied by the U.S. Department of Health and Human Services, compared with eight HIPAA criminal felony convictions. All eight of the criminal convictions were basically the result of insiders abusing authorized access to protected health information (PHI) in order to commit crimes. The insider threat has always been significant. It is likely to become even more of a concern.
|December 2008||Andrea Smith of Trumann, Ark., convicted of accessing and disclosing a patient's health information from her place of employment for personal gain.||Sentenced to two years probation and 100 hours of community service.|
|May 2008||Leslie A. Howell, who worked at an Oklahoma City counseling center, gave patient files to Ryan Jay Meckenstock and Nicole Lanae Stevenson, who used the files "to make counterfeit identification papers that helped them obtain merchandise and credit from a number of retailers."||Sentenced to 14 months in prison.|
|February 2008||Meckenstock and Stevenson used stolen patient files from Howell, as well as from stolen and discarded mail, Internet searches, credit reports and car burglaries, to produce counterfeit identification documents (IDs) to obtain merchandise and credit from various merchants.||Meckenstock was sentenced to serve 119 months in federal prison. Stevenson was sentenced to serve 168 months in federal prison. Each defendant was ordered to pay $101,896.39 in restitution to the victims.|
|January 2007||Isis Machado, an employee at the Cleveland Clinic in Weston, Fla., was charged with obtaining computerized patient files and downloading individually identifiable health information of more than 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer Jr., owner of Advanced Medical Claims Inc. in Naples, Fla. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims.||Machado and Ferrer were each found guilty of conspiring to defraud the United States, one count of computer fraud and one count of wrongful disclosure of individually identifiable health information. Ferrer was sentenced to 87 months in prison, to be followed by three years of supervised release, and must pay $2.5 million in restitution. Machado was sentenced to three years probation, including six months of home confinement, and ordered to pay $2.5 million in restitution.|
|March 2006||Liz Arlene Ramirez was convicted for selling individually identifiable health information about an FBI agent to a drug trafficker in exchange for $500.||Sentenced to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.|
|August 2004||Richard Gibson, an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients, stole patient information and used it to obtain credit cards in that patient's name, then used them to receive cash advances and to purchase various items, including video games, home improvement supplies, apparel, jewelry and gasoline valued at $9,139.42.||Signed a plea agreement and was convicted and sentenced to 16 months in prison. As part of his plea bargain, Gibson agreed to make restitution to the credit card companies whose cards he had used to make illegal purchases and to the victim of his identity theft.|
|Feb. 18, 2009||CVS||Disposal of PHI||$2.25 million, information security improvements and ongoing audits.|
|July 2008||Providence Health & Services||Loss of electronic backup media and laptop computers containing individually identifiable health information.||$100,000, plus implementation of a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.|