Former healthcare workers plead guilty to HIPAA violations

In Memphis, Tennessee, five former healthcare workers have pled guilty to selling sensitive data and may be facing hefty fines and even prison time. 

What happened

According to a local news source, between approximately November 2017 and January 2020, Roderick Harvey, 41, paid 5 Methodist Le Bonheur Healthcare employees to give him 90 patients’ personal information. 

Harvey sought information related to motor vehicle accidents and went on to sell the information to personal injury attorneys, chiropractors, and others who may have had financial interests.  

On April 25th, the Department of Justice announced that all 5 healthcare workers and Harvey had pled guilty to selling the protected information. 

The employees of Methodist Le Bonheur Healthcare were released from their positions, most of whom held roles in the financial department, in 2020. The former workers face up to one-year imprisonment, a $50,000 fine, and a year of supervised release. Harvey faces up to 5 years imprisonment, a fine of $250,000, and three years of supervised release. 

All involved are expected to face sentencing between now and August 1st. 

Related: EHR Snooping: Tackling unauthorized access and strengthening trust

Why it matters

The actions of the former employees and Harvey constitute a clear HIPAA violation. According to the Department of Justice’s press release, “HIPAA’s provisions make it a crime to disclose patient information, or to obtain patient information with the intent to sell, transfer, or use such information for personal gain.” 

According to the Department of Human Health Services (HHS), there have been over 325,577 HIPAA complaints against organizations or individuals since 2003. While some HIPAA violations are intentional, as in Methodist Le Bonheur Healthcare’s case, some are accidental. Even in unintentional cases, HIPAA violations can still result in legal issues for the involved parties. Regardless, healthcare workers must be vigilant in understanding HIPAA compliance and the potential disciplinary actions if HIPAA regulations have been violated. 

Go deeper: 

• How to handle accidental HIPAA email breaches? 
• EHR snooping incident at Asante: Unauthorized access exposes patient data
   

What was said

In a statement released by Methodist Le Bonheur Healthcare, a spokesperson said, “We take the security of our patient’s private information very seriously. Once we became aware of the situation, we promptly took action and alerted the appropriate legal authorities.”

Methodist cooperated completely with the investigation. While they don’t believe any financial information was released, they are offering free credit reports for those affected. 

The bottom line

Methodist Le Bonheur Healthcare was diligent during the investigation process, but the case still shows the necessity of keeping workers and organizations aware of the risks of HIPAA violations. Serious consequences can occur for the individuals who had their information leaked and the workers and organizations involved in the violation. 

Related: HIPAA Compliant Email: The Definitive Guide.