A new HIPAA criminal case suggests that healthcare organizations may be not criminally liable for employee disclosures of protected health information if they have strong protections in place or are unaware of an employee's behavior. In the case, believed to be only the fourth criminal case pursued under HIPAA, a clinic nurse with the Northeast Arkansas Clinic pled guilty to wrongfully disclosing a patient's PHI and using it for personal and malicious intent. Andrea Smith admitted that she accessed a patient's medical file and shared it with her husband, who planned to use the information in an upcoming legal proceeding. Now, Smith faces up to 10 years in prison, $250,000 in fines or both. She was also terminated from the clinic when it found out about the breach. Legal observers had assumed, under previous Department of Justice guidelines issued in 2005, that the clinic would be liable for the actions for employees like Smith.
To learn more about this story:
- read this AMNews piece
Related Articles:
HHS plans surprise HIPAA audits
Over-applying and misapplying HIPAA is common
Few HIPAA complaints pursued
HIPAA violations not drawing fines