Manage Learn to apply best practices and optimize your operations.

HIPAA criminal convictions outpace sanctions

Despite several years as law, HIPAA has resulted in only two sanctions to organizations, but there have been eight criminal convictions from the use of stolen health care data.

This is part of a continuing series. Read part 1, "HIPAA enforcement getting stronger" and part 2, "HIPAA enforcement, more government audits leading to more convictions."

Despite the huge number of Health Insurance Portability and Accountability Act complaints, as of Feb. 25 there have been only two noncompliance sanctions applied by the U.S. Department of Health and Human Services, compared with eight HIPAA criminal felony convictions. All eight of the criminal convictions were basically the result of insiders abusing authorized access to protected health information (PHI) in order to commit crimes. The insider threat has always been significant. It is likely to become even more of a concern.

HIPAA criminal convictions
Date Situation Penalty
December 2008 Andrea Smith of Trumann, Ark., convicted of accessing and disclosing a patient's health information from her place of employment for personal gain. Sentenced to two years probation and 100 hours of community service.
May 2008 Leslie A. Howell, who worked at an Oklahoma City counseling center, gave patient files to Ryan Jay Meckenstock and Nicole Lanae Stevenson, who used the files "to make counterfeit identification papers that helped them obtain merchandise and credit from a number of retailers." Sentenced to 14 months in prison.
February 2008 Meckenstock and Stevenson used stolen patient files from Howell, as well as from stolen and discarded mail, Internet searches, credit reports and car burglaries, to produce counterfeit identification documents (IDs) to obtain merchandise and credit from various merchants. Meckenstock was sentenced to serve 119 months in federal prison. Stevenson was sentenced to serve 168 months in federal prison. Each defendant was ordered to pay $101,896.39 in restitution to the victims.
January 2007 Isis Machado, an employee at the Cleveland Clinic in Weston, Fla., was charged with obtaining computerized patient files and downloading individually identifiable health information of more than 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer Jr., owner of Advanced Medical Claims Inc. in Naples, Fla. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims. Machado and Ferrer were each found guilty of conspiring to defraud the United States, one count of computer fraud and one count of wrongful disclosure of individually identifiable health information. Ferrer was sentenced to 87 months in prison, to be followed by three years of supervised release, and must pay $2.5 million in restitution. Machado was sentenced to three years probation, including six months of home confinement, and ordered to pay $2.5 million in restitution.
March 2006 Liz Arlene Ramirez was convicted for selling individually identifiable health information about an FBI agent to a drug trafficker in exchange for $500. Sentenced to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.
August 2004 Richard Gibson, an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients, stole patient information and used it to obtain credit cards in that patient's name, then used them to receive cash advances and to purchase various items, including video games, home improvement supplies, apparel, jewelry and gasoline valued at $9,139.42. Signed a plea agreement and was convicted and sentenced to 16 months in prison. As part of his plea bargain, Gibson agreed to make restitution to the credit card companies whose cards he had used to make illegal purchases and to the victim of his identity theft.
HIPAA noncompliance sanctions
Date Company Situation Penalty
Feb. 18, 2009 CVS Disposal of PHI $2.25 million, information security improvements and ongoing audits.
July 2008 Providence Health & Services Loss of electronic backup media and laptop computers containing individually identifiable health information. $100,000, plus implementation of a detailed corrective action plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

Dig Deeper on HIPAA and other healthcare compliance requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.