HIPAA/HITECH , Standards, Regulations & Compliance

6 Plead Guilty in Criminal HIPAA Scheme at Health Entity

Defendants Include 5 Former Hospital Financial Counselors
6 Plead Guilty in Criminal HIPAA Scheme at Health Entity
Five former Methodist Le Bonheur Healthcare workers - plus another individuals - have pleaded guilty to HIPAA crimes. (Source: Methodist Le Bonheur Hospital website)

Six individuals - including five former employees of a Tennessee healthcare organization - pleaded guilty to criminal HIPAA violations in an alleged scheme involving the sale of motor vehicle accident patient information to third parties.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The five former workers at Methodist Le Bonheur Healthcare in Memphis each recently entered guilty pleas in a Tennessee federal court for charges of unlawfully disclosing patient information in violation of HIPAA, the U.S. Department of Justice announced Tuesday.

Prosecutors allege that the workers provided the patient information to a sixth individual, Roderick Harvey, who sold it to third parties including personal injury attorneys and chiropractors. Harvey pleaded guilty on Friday to conspiracy to violate HIPAA (see: 5 Hospital Workers Charged With Selling Patient Information).

The Justice Department alleges that between November 2017 and December 2020, Harvey paid the MLH workers for names and phone numbers of patients who had been involved in motor vehicle accidents.

Harvey faces a maximum penalty of five years in prison, a fine of $250,000 and three years of supervised release. His sentencing is set for Aug. 1.

MLH told Information Security Media Group that under 1,500 patients were affected by the scheme. The organization notified each individual whose information had been compromised and reported the breaches to the federal regulators, MLH says.

The hospital says it has since implemented a monitoring and auditing system for its patient registration process.

Four of the MLH employees worked as financial counselors, while the fifth held a variety of roles, including PBX unit secretary, according to court documents. The longest-tenured employee, Sylvia Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, court documents show.

Co-defendant Kirby Dandridge received a sentence of one year of probation and a $2,500 fine.

The other defendants - Taylor, Adrianna Taber, Kara Thompson and Melanie Russell - each face a maximum penalty of one year in prison, a $50,000 fine, and one year of supervised release for each HIPAA violation. They are scheduled to be sentenced in May and June.

Judges appear to be taking a harder line against criminal HIPAA violators.

Two defendants in another HIPAA criminal case prosecuted in Texas received 48 months and 30 months in prison, respectively (see: Second Defendant Sentenced in EHR-Related Fraud Case).

Combating the misuse of patients' protected health information is becoming a higher priority for regulators and law enforcement, said regulatory attorney Rachel Rose, who was not involved in either case.

"Four years is a significant sentence in light of the statute, as well as the federal sentencing guidelines," Rose said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.