LTACH Medical Director and Medical Center Employees Receive Fines and Probation for HIPAA Violations

Posted by Jason Greis on December 5, 2009 under Articles | Be the First to Comment |  Print

In October 2009, a Federal judge in Arkansas sentenced the medical director of an Arkansas hospital-within-hospital LTACH and an account representative and emergency unit coordinator of the host hospital to fines and probation for violating the Health Insurance Portability and Accountability Act (“HIPAA”) by unlawfully viewing a high profile patient’s electronic medical records.  (U.S. v. Holland, E.D. Ark., No. 09-cr-168, sentencing Oct. 26, 2009; U.S. v. Griffin, E.D. Ark., No. 09-cr-169, sentencing Oct. 26, 09; U.S. v. Miller, E.D. Ark., No. 09-cr-170, sentencing Oct. 26, 2009). 

In July 2009, each of the three defendants pleaded guilty to misdemeanor violations of the privacy provisions of HIPAA and entered into a plea agreement acknowledging that each had unlawfully accessed patient medical records without having any legitimate need to do so.  While the physician admitted viewing patient records only once, the account representative admitted viewing the patient’s files twelve times and the unit coordinator admitted accessing the patient’s file on three separate occasions.  Each party had previously received HIPAA compliance training from their respective employers. 

As a result of this violation:

• The medical director was sentenced to one year of probation, ordered to pay a $5,000 fine and perform fifty hours of community service educating professionals on HIPAA.  The physician was also suspended by the LTACH for two weeks and ordered to complete additional HIPAA training; and
• The account representative and emergency room coordinator were each sentenced to one year of probation and ordered to pay a $1,500 fine, and were ultimately terminated.

Physicians and employees should recognize that the penalties could have been much worse for each of these individuals who could have received a maximum penalty of one year imprisonment, a fine of more than $50,000, or both.  Readers should take away important lessons from this incident, including:

• The Federal government is adding resources in 2010 to ensure HIPAA compliance and to address enforcement concerns, especially since passage of the HITECH Act in February 2009, which dramatically increased HIPAA civil penalties;
• HIPAA compliance training is an ongoing endeavor, which LTACHs may want to consider repeating on a regular basis to comply with law and shield a facility from potential liability; and
• Electronic medical record (“EMR”) systems can be an important HIPAA compliance tool.  Access to EMR system data is password-protected and individually identifying time and date-stamped user log-ons ensure that compliance violations are readily identified.

Please contact me if you have any questions about implementing an effective HIPAA compliance program.

Jason S. Greis
McGuireWoods LLP
312.849.8217
jgreis@mcguirewoods.com