Tough week for HIPAA violators

by James Lawson

Late last week I ran across two separate articles dealing with federal sentences for patient privacy violations.

The first was Arkansas’ first federal sentence for three people involved in a security breach over a local news anchor’s medical records. (This is the article from the Arkansas news bureau.) One of the more interesting parts of this for me is that the violation occurred from several different types of caregivers; one was the emergency department  supervisor and another was a doctor. This really gets to the core of the issue of protecting patient privacy — nobody should be able to look at your records without having a valid reason to. It also exposes a significant weakness in most hospital’s information protection surveillance and patient privacy monitoring programs:  there are caregivers who look  like they may need to have access to a chart but in reality they are not associated with the patient at all.  This makes the breach more difficult to find.

You may also remember the case regarding Palmetto General where two people were indicted and just this week convicted of stealing patients’ data. This last week has really given us two very good examples of where the federal authorities are going after patient privacy enforcement.

With the volume of daily health accesses and opportunity for misuse, it’s a wonder that we haven’t seen more violations that carry penalties at the federal level. These kind of cases are starting to be seen with more frequency and not a moment too soon.