HIPAA privacy violation leads to criminal conviction

Use case in training, lawyer advises

A HIPAA-related criminal conviction has drawn attention to the seriousness of violations regarding protected health information and should be used as an object lesson in access training initiatives, suggests Michelle Masucci, JD, counsel in the health services group for the law firm of Nixon Peabody, LLC, in Garden City, NY. The case also focuses attention on the national problem of identity theft and how it can impact access services.

A Seattle man pleaded guilty Aug. 19 in federal court to wrongful disclosure of individually identifiable health information for economic gain, marking the first criminal conviction in the United States under HIPAA’s health information privacy provisions, which became effective in April 2003. Those provisions made it illegal to wrongfully disclose personally identifiable health information.

Richard W. Gibson, 42, of SeaTac, WA, admitted in a plea agreement that he obtained a patient’s name, date of birth, and Social Security Number while an employee of the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient’s name. Gibson, who was fired shortly after the identity theft was discovered, also admitted that he used the cards to incur more than $9,000 in debt in the patient’s name. The FBI investigated the case.

At a hearing scheduled for Nov. 5, U.S. District Court Judge Ricardo S. Martinez will determine whether to accept Gibson’s plea agreement. If the plea is accepted, the judge will determine Gibson’s sentence within the range of 10 months to 16 months set forth in the plea agreement.

What’s really interesting for access professionals about the case is the training opportunity it provides," says Masucci, who, in addition to providing HIPAA counseling, has worked with clients on training and policies and procedures.

Although access employees who receive training on the HIPAA privacy rule have a theoretical understanding of how it applies to them, she points out, "I’m not sure there is an awareness that they can be subject to criminal charges."

In addressing HIPAA privacy and security issues, health care organizations do what they can to keep employees from wrongfully using private health information, Masucci says, "but once you’ve given them access to the information, you can’t put enough safeguards in place to truly [counteract] people who are intent on breaking the law."

The case provides "a little wake-up call," she notes. "It lets them know there are real, personal consequences for them — not just for the organization. It really is a very concrete example."

Identity theft affects access

Identity theft is a huge issue, and one that is impacting the way access departments operate, notes Gillian Cappiello, CHAM, senior director of access services and chief privacy officer for Swedish Covenant Hospital in Chicago. "We have identified several cases of identity theft," she adds, "usually, when the victims receive a bill for services they never had, and tell us they had their purse or wallet stolen. It’s very distressing for the victims, and they are often concerned that they have incorrect health information in their medical record and on record with their insurance company."

Dealing with such cases requires a lot of explanation and reassurance that everything is cleared up, and that the record has been properly identified, Cappiello says.

It is a bit harder to identify patients — and makes more work for registrars — when people, in the name of caution, refuse to give the hospital a Social Security number, she notes. But she says the extra security is worth the trouble. "I think Blue Cross and some other insurance companies have the right idea in using a different number for the insurance policy number."

Swedish Covenant has held a seminar, which was conducted by the Chicago police department, for its employees and another for seniors in the community on how to protect themselves from identity theft, she says.

It’s a crime that can have devastating and lasting consequences, Cappiello adds. "When the victim is ill and dealing with so many other issues, it’s the worst kind of crime, and the penalty should be the maximum allowable."

While news reports on the Seattle case didn’t mention whether the man’s employer did employee background checks, she adds, "that is certainly one step that can help."

"Too many Americans have experienced identity theft, and the nightmare of dealing with bills they never incurred," U.S. Attorney John McKay said in connection with the Gibson conviction. "To be a vulnerable cancer patient, fighting for your life, and having to cope with identify theft is just unconscionable. This case should serve as a reminder that misuse of patient information may result in criminal prosecution."