A federal jury in Ohio recently indicted Jamie Knapp, a former respiratory therapist, for allegedly violating the Health Insurance Portability and Accountability Act (HIPAA).
Knapp previously worked at ProMedica Bay Park Hospital in Oregon, Ohio, where she was permitted access to the individually identifiable health information of certain respiratory patients.
However, from May 10, 2013, through March 25, 2014, Knapp electronically accessed the HIPAA-protected information of approximately 596 ProMedica patients without the requisite authorization.
Following its discovery of these infractions, ProMedica, the parent company of the hospital where Knapp worked, began notifying affected patients that an unauthorized individual had accessed their medical records at some time between April 1, 2013, and April 1, 2014.
Prosecutors alleged that Knapp accessed the protected health information in order to procure intravenous drugs. She faces up to one year in prison.
Criminal HIPAA Violations?
Criminal HIPAA violations are uncommon, in part because convicting an individual of violating HIPAA requires proof that the person knowingly obtained or disclosed individually identifiable health information without authorization.
However, the Knapp case reminds us that covered entities and business associates face major insider threats from their own employees. It is vital that health care organizations take the necessary steps to prevent their employees from wrongfully accessing protected health information. Minimizing these threats requires clear policies on record access and continued reinforcement of these policies through training and auditing programs.
Special thanks to Jonathan Kerbis for his contributions to this post.
By James W. Weller and Michal E. Ovadia of Nixon Peabody. Read more Nixon Peabody blogs here.