Stolen info results in first HIPAA-related conviction

The U.S. Attorney’s office in Western District of Washington state has announced that Richard W. Gibson, 42, of SeaTac, WA, pleaded guilty in federal court in Seattle to wrongful disclosure of individually identifiable health information for economic gain. The case is the first criminal conviction related to the health information privacy provisions of HIPAA that became effective in April 2003.

According to the U.S. Attorney’s office, Gibson admitted that he obtained a cancer patient’s name, date of birth, and Social Security number while he was employed at the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient’s name.

HIPAA made it illegal to wrongfully disclose personally identifiable health information. Matthew Rosenblum, chief operations officer for privacy, quality management, and regulatory affairs at New York City-based health care consultants CPI Directions, tells Healthcare Risk Management that a review of the plea agreement reveals that the Department of Justice supports some previous interpretations of how HIPAA would be applied. Specifically, he says the case confirms these points:

1. Patients names, dates of birth, Social Security numbers, and other identifiers are defined as protected health information.

2. The HIPAA penalties are applicable to a covered entity’s individual work force members.

3. Appropriate use and disclosure of protected health information now will be aggressively enforced through the HIPAA statutes.