HIPAA Violation Results in Criminal Prosecution

Criminal prosecutions for HIPAA violations are on the rise, and the latest news out of Ohio involves the theft of protected patient information. Almost 600 patients are affected by the breach, allegedly carried out by Jamie Knapp who worked at ProMedica Bay Park Hospital in Oregon, OH.

Criminal prosecutions under HIPAA had been rare, however recently there has been a marked rise in the number of complaints filed. Interestingly, prosecutions against individuals are accounting for the largest part of the increase, however the attendant adverse publicity affects the employing healthcare provider or business associate.

Cyber experts also agree that healthcare providers are increasingly being targeted by thieves and hackers. Healthcare information tends to be very complete, that is, it contains a wealth of personal data that allows criminals to perform identity theft or stalking with a great deal of ease.

In the Knapp case, a grand jury handed down two indictments. The first dealt with the theft of 596 patient records by the respiratory therapist, and the patient records she accessed included not only her own patients, but others too. The second indictment charged Knapp with accessing a restricted-access computer in violation of federal law.

Knapp faces stiff criminal penalties if found guilty.

If convicted, Knapp faces 10 years in jail plus a maximum fine of $500,000.

While the healthcare provider was innocent of the criminal acts of Knapp, nevertheless the fallout for ProMedica is considerable. In May 2014, the parent company of the 72-bed hospital began the task of notifying patients that there private health information had been compromised.

In an effort to foster good relations with affected patients, ProMedica is offering one year of identity theft protection at no cost. It is unknown as yet, whether disgruntled patients will be suing ProMedica for the breach and loss of their information which has exposed them to this risk.

Adding further insult to injury, the incident has been added to the US Department of Health & Human Services (HHS) “Wall of Shame”, a website run by HHS to highlight major data breaches. ProMedica has embarked on a staff-wide re-education program, however IT experts, including Swift Systems, do not believe this is enough.

Ramping up employee education and awareness is only one technique for enhancing security of patient information. A full risk audit should be conducted to identify areas of weakness which would allow a breach. In addition, establishing a full audit trail of access and use of patient information is a HIPAA requirement, and there is frequently considerable scope for improvement in this area.

Furthermore, establishing user patterns of behavior will help identify non-authorized use of patient information, while improving authentication methods will restrict unauthorized access, particularly in tandem with role-based controls.

While the criminal process has Knapp firmly in its sights, the impact on ProMedica’s reputation, goodwill and business is significant. Further, a subsequent breach or violation of HIPAA regulations is likely to leave health care provider at significant risk of being fined, or indeed facing a criminal prosecution itself.

Let our Specialists take care of your IT Support