A US federal grand jury in Tennessee has indicted five former Methodist Hospital employees for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The five defendants allegedly supplied Roderick Harvey with names and phone numbers of Methodist patients who had been in car accidents. Harvey also faces charges related to the scheme.
Note
- Ambulance chasing is legal, stealing patient records to sell to ambulance chasers is not. If you are subject to HIPAA, another data point to highlight is that violations can result in prosecutions not just fines. In this case, employees are being charged with misuse of patient data and it is not a big leap for investigators to ask why the hospital didn’t detect this activity.
- Harvey was a fugitive, arrested in August after fleeing to Arizona. He faces seven counts of obtaining patient information for financial gain. In this particular case, he is accused of bribing folks to get that information. In general, make sure that users, when pressured to turn over (sensitive) information, understand what their obligations are to protect the information as well as what the intended use is. When in doubt, defer to the data owner, privacy officer or legal counsel who are better versed in regulatory restrictions on information handling. Also make sure they understand the reporting mechanism for coercion or bribery.
- The new proverb, “data is the new currency” rings true in this case. Hospital administrators should integrate this case into the training employees receive on the HIPAA law.
Read more in