Late last month, the U.S. Department of Justice announced that a 62-year-old woman would be spending a year behind bars after being convicted of disclosing the health information of two people “with the intent to cause them embarrassment and mental distress.”
Linda Sue Kalina worked from March 7, 2016 through June 23, 2017 as a patient information coordinator at Tri Rivers Musculoskeletal Centers, an affiliate of University of Pittsburgh Medical Center (UPMC). It was alleged she accessed the medical records of former classmates, friends and people she had a grievance with. In all, she is said to have accessed health information of more than 100 UPMC patients who had not been provided services at Tri Rivers Musculoskeletal Centers where she worked and therefore had no reason to access.
It also was alleged that she used the medical records to get back at a former employer, where she had worked for 24 years, before losing her job to a younger woman. Kalina admitted to accessing and disclosing personal health information of two employees from her previous job.
In March, Kalina pleaded guilty in federal court to one count of wrongfully disclosing the health information of another individual. Her year in prison is to be followed by three years’ supervised release. She also was ordered to have no contact with her victims during that time.
Kalina’s case should serve as a reminder that HIPAA violations not only can result in significant fines as we wrote about here, but also in jail time.
The penalties for violating HIPAA are based on whether the person knew that the rules were being violated or if they were violated intentionally. Individuals and covered entities who knowingly obtain or disclose personal health information face up to a year imprisonment. Those who access the information under false pretenses face up to five years behind bars. And those who access the information with intent to sell, transfer or use the information for commercial advantage, personal gain or malicious harm face up to 10 years.
Kalina certainly isn’t the first person to go to jail for a HIPAA violation. Many people with access to protected health information may not even realize it, but simply accessing that information without a valid reason can land you in a lot of trouble. As we wrote about earlier this year, dozens of employees of Chicago’s Northwestern Memorial hospital were fired for accessing the medical records of actor Jussie Smollett.
By now, many healthcare entities have educated those with access to private health information about how HIPAA works and what constitutes a violation. But that once-a-year training often isn’t enough. It is incumbent upon covered entities to remain diligent, to consistently educate and enforce HIPAA policies and to keep on top of who has accessed protected health information. There is technology available today that allows employers to monitor who is accessing the information and for what purpose.
The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced professionals can help you to create a compliance program designed to meet your unique needs. Give us a call at 305-358-4500, or send an email to email@example.com and let’s discuss how we might be able to assist you.