Two Recent Criminal Prosecutions For HIPAA Privacy Rule Violations Signal Rising Criminal Enforcement Risks

Register here  To Participate In September 9 or September 17 Briefings on New HIPAA Data Breach Rules

September 8, 2009

Two recent separate criminal actions against hospital workers for wrongfully accessed medical records in violation of the medical privacy provisions of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA) are the latest reminders to health care providers, health plans, health care clearinghouses, their business associates and members of their workforce that the criminal provisions of the HIPAA Privacy Rules have teeth. 

Palmetto General Hospital Employee And Accomplice Indicted For Stealing Patient Records As Part Of Fraud

 In Miami-Dade County, federal felony charges are pending against Jacquettia L. Brown, 29, and Tear Renee Barbary, 25, prosecution on for offenses relating to the theft of patient profile records from Palmetto General Hospital to further a fraud scheme.

A seven-count Indictment announced by the Department of Justice on May 26, 2009 charges Brown and Barbary with conspiracy to commit access device fraud in violation of Title 18, United States Code, Section 1029(b)(2), and criminal violations of HIPAA. In addition, Brown is charged with aggravated identity theft, in violation of Title 18, United States Code, Section 1028A(a)(1).  If convicted, the defendants face a statutory maximum of five (5) years’ imprisonment on Count 1, and a statutory maximum of ten (10) years’ imprisonment as to each of Counts 2, 3, and 7. As to Counts 4-6, Brown faces a two (2) year mandatory prison sentence per count. 

According to the Indictment, Brown, a medical records employee of Palmetto General Hospital, took records containing personal profile information of Palmetto General Hospital patients. Defendant Brown and Barbary then used the stolen personal information to further a credit card fraud conspiracy. The patient profile records that Brown stole included personal identifying information, such as patients’ names, birthdates, Social Security numbers, addresses, driver’s license numbers, and next of kin contacts. Brown used the stolen identifying information to obtain patients’ credit card account numbers. She gave patient profile records and credit card account numbers to Barbary, who used the information to make unauthorized credit card purchases. When law enforcement officials disrupted the scheme, Brown was in possession of 41 patient profile records and Barbary was in possession of six patient profile records.

Curiosity Check of Medical Records Results In Arkansas Doctor, 2 Former Hospital Employees Guilty Plea To HIPAA Violation

Three Arkansas health care workers could be sentenced to up to 1 year in prison, a fine of not more than $50,000, or both after pleading guilty in July, 2009 to misdemeanor violations of the health information privacy provisions of HIPAA for accessing a patient’s record without any legitimate purpose.

United States Magistrate Judge Henry L. Jones, Jr. accepted the guilty pleas of Dr. Jay Holland, age 56, of Little Rock, Arkansas; Sarah Elizabeth Miller, age 28, of England Arkansas; and Candida Griffin, age 34 of Little Rock, Arkansas after each admitted to accessing patient records to satisfy their own curiosity.

Dr. Holland, Medical Director of Select Specialty Hospital, located on the 6 floor of the St. Vincent Infirmary Medical Center (SVIMC), admitted that after watching news reports on television, he logged on to the SVIMC patient records from his computer at home and accessed a patient’s files to determine if the news reports were accurate. He admitted he accessed the file because he was curious even though he had had HIPAA training and understood he was violating HIPAA when he accessed the file. SVIMC suspended Dr. Holland’s privileges for two weeks and required him to complete on-line HIPAA training.

Sarah Elizabeth Miller, formerly an account representative at SVIMC, Sherwood Campus, was responsible for checking patients in and out of the clinic and for processing patient billing. In order to perform her duties, she had access to the SVIMC patient records program which includes all locations, not just that of the Sherwood clinic. Miller admitted that on October 20 and 21, 2008, she accessed a patient’s files approximately 12 times out of curiosity. She admitted that she accessed the records without any legitimate purpose. Records show that Miller was trained on HIPAA privacy laws by SVIMC. SVIMC fired Miller from her position.

Candida Griffin was the emergency room unit coordinator at SVIMC. Her responsibilities were to order patient tests, perform data entry into electronic patient files for patients and perform other secretarial functions in the emergency room. Griffin admitted that on October 20, 2008, she was told by the charge nurse to set-up an alias for a particular patient admitted to the emergency room. On October 21, 2008, after the patient had been moved to ICU, Griffin admitted that she became curious about the patient’s status and accessed the medical chart to find out if the patient was still living. Although Griffin did not inform anyone about accessing the chart, hospital records show that the patient’s records were accessed three times that day by Ms. Griffin. SVIMC records show that Griffin was trained on HIPAA privacy laws. SVIMC fired Griffin from her position.

Pursuant to plea agreements with the United States, Holland, Miller and Griffin pleaded guilty to a misdemeanor a violation of the health information privacy provisions of HIPAA based on their accessing a patient’s record without any legitimate purpose. Each faces a maximum penalty of 1 year imprisonment, a fine of not more than $50,000, or both. A sentencing date has not yet been set, but is expected within the next few weeks.

Criminal Referral and Enforcement Continues

Together with the HIPAA-related criminal convictions of in 2008 of David Gibson, Ferando Ferrer, Jr. and Andrea Smith discussed here, these new Arkansas and Florida criminal actions document the willingness of Justice Department attorneys to investigate and prosecute certain criminal violations.  Because they involved the theft of health information for use in furtherance of other health care fraud schemes, many have viewed as predictable and understandable the prosecution of Gibson, Ferrer, Brown and Barbary.  In contrast, the willingness of Jane W. Duke, United States Attorney for the Eastern District of Arkansas, to prosecute criminally the wrongful access by the SVIMC health care workers and Andrea Smith in the absence of other health care fraud motives challenges the perception widely held among certain segments of the health care and health plan industry that the criminal provisions of HIPAA have little teeth.  Since U.S. Attorney Duke pursued both the SVIMC and Smith prosecutions, it remains to be seen whether other U.S. Attorneys will be equally willing to pursue prosecution of HIPAA violations in the absence of evidence of other federal health care crimes.  

Less speculative is the growing readiness of the Department of Health & Human Services Office of Civil Rights to pursue civil remedies for HIPAA violations.  On February 18, 2009, for instance, OCR and the Federal Trade Commission (“FTC”) issued a joint announcement (the “Announcement”) ordering CVS Pharmacy, Inc., the nation’s largest retail pharmacy chain, to pay the U.S. government a $2.25 million settlement and to take other corrective action to ensure that it does not violate the privacy rights patients under HIPAA when disposing of patient information such as identifying information on pill bottle labels.  In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order and agreed to a settlement with the FTC to settle potential violations of the FTC Act.  The investigation resulting in the settlement marks the first instance where the OCR formally coordinated on investigation and resolution of a case with the FTC. 

Coming as new data breach notification requirements for HIPAA-covered entities are set to take effect on September 23, 2009, these and other stepped up oversight and enforcement activities make it critical that all health care providers, health plans, health care clearinghouses and their business associates need to update their policies and practices, tighten their compliance and data breach monitoring processes, and strengthen their internal controls, compliance in preparation for defending their actions under the newly strengthened Privacy Rules.  Covered entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards.  Covered entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

If you need assistance with auditing, updating or defending your organizations HIPAA and other privacy and data security practices, please contact Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail at

Register Now For Upcoming September Health Industry Update Programs

If you found this information of interest, you also may be interested in one of the following upcoming health industry programs to be presented by Ms. Stamer during September:

  • HITECH ACT Health Data Security & Breach Update on September 9, 2009 hosted live or via teleconference by Curran Tomko Tarski LLP 
  • How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination — What You Should Be Doing To Be Prepared for the New, Stepped Up Enforcement Actions on September 10, 2009 hosted via teleconference by Health Resources Publishing
  • Health Information Security & Data Breach Under HITECH Act on September 17, 2009 hosted via teleconference by the Health Care Compliance Association

To register or for other details about these and other upcoming programs and presentations by Ms. Stamer and other Curran Tomko Tarski members, see here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Curran Tomko Tarski LLP Latest in Health Care Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you.  If you need assistance with auditing or defending these or other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402,, Edwin J. Tomko at (214) 270-1405 or another Curran Tomko Tarski LLP Partner of your choice. Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other internal controls and risk management matters. 

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here.  If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information to

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.  To unsubscribe, e-mail here.

©2009 Cynthia Marcotte Stamer.  All rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: