This is part of a continuing series. Read part 1, "HIPAA enforcement getting stronger" and part 2, "HIPAA enforcement, more government audits leading to more convictions."
Despite the huge number of Health Insurance Portability and Accountability Act complaints, as of Feb. 25 there have been only two noncompliance sanctions applied by the U.S. Department of Health and Human Services, compared with eight HIPAA criminal felony convictions. All eight of the criminal convictions were basically the result of insiders abusing authorized access to protected health information (PHI) in order to commit crimes. The insider threat has always been significant. It is likely to become even more of a concern.
HIPAA criminal convictions
HIPAA noncompliance sanctions
||Andrea Smith of Trumann, Ark., convicted of accessing and disclosing a patient's health information from her place of employment for personal gain.
||Sentenced to two years probation and 100 hours of community service.
||Leslie A. Howell, who worked at an Oklahoma City counseling center, gave patient files to Ryan Jay Meckenstock and Nicole Lanae Stevenson, who used the files "to make counterfeit identification papers that helped them obtain merchandise and credit from a number of retailers."
||Sentenced to 14 months in prison.
||Meckenstock and Stevenson used stolen patient files from Howell, as well as from stolen and discarded mail, Internet searches, credit reports and car burglaries, to produce counterfeit identification documents (IDs) to obtain merchandise and credit from various merchants.
||Meckenstock was sentenced to serve 119 months in federal prison. Stevenson was sentenced to serve 168 months in federal prison. Each defendant was ordered to pay $101,896.39 in restitution to the victims.
||Isis Machado, an employee at the Cleveland Clinic in Weston, Fla., was charged with obtaining computerized patient files and downloading individually identifiable health information of more than 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer Jr., owner of Advanced Medical Claims Inc. in Naples, Fla. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims.
||Machado and Ferrer were each found guilty of conspiring to defraud the United States, one count of computer fraud and one count of wrongful disclosure of individually identifiable health information. Ferrer was sentenced to 87 months in prison, to be followed by three years of supervised release, and must pay $2.5 million in restitution. Machado was sentenced to three years probation, including six months of home confinement, and ordered to pay $2.5 million in restitution.
||Liz Arlene Ramirez was convicted for selling individually identifiable health information about an FBI agent to a drug trafficker in exchange for $500.
||Sentenced to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.
||Richard Gibson, an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients, stole patient information and used it to obtain credit cards in that patient's name, then used them to receive cash advances and to purchase various items, including video games, home improvement supplies, apparel, jewelry and gasoline valued at $9,139.42.
||Signed a plea agreement and was convicted and sentenced to 16 months in prison. As part of his plea bargain, Gibson agreed to make restitution to the credit card companies whose cards he had used to make illegal purchases and to the victim of his identity theft.
|Feb. 18, 2009
||Disposal of PHI
||$2.25 million, information security improvements and ongoing audits.
||Providence Health & Services
||Loss of electronic backup media and laptop computers containing individually identifiable health information.
||$100,000, plus implementation of a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.
Dig deeper on HIPAA and other healthcare compliance requirements