[ Friday, August 20, 2004 ]
BIG, BREAKING NEWS: The first criminal conviction and, as far as I can tell, first criminal charge of a violation of HIPAA has been entered in Washington state. Richard Gibson was an employee of the Seattle Cancer Care Alliance, and was able to get hold of the social security number and date of birth of a cancer patient. He used the information to get 4 credit cards, on which he charged about $9,000 worth of video games, jewelry, clothes, and, of course, porcelain figurines. He pleaded guilty as part of plea bargain yesterday, and agreed to a sentence of 10 to 16 months (which could be served in home confinement -- surrounded by the porcelain figurines), as well as restitution to the credit card companies as well as the identity theft victim. This all assumes that the judge accepts the plea, which I suspect he will.
Two lessons here: first, don't ever forget the criminal aspect of HIPAA. Keep it in mind for yourself when you're deciding whether to comply with the picky intricacies and banalaties of HIPAA, but also keep it in mind when you're trying to hammer on your staff the importance of keeping PHI private. Secondly, note that this is an identity theft case with a healthcare component. Gibson didn't steal medical information, but he did violate HIPAA, because PHI includes identifying information like birth dates and social security numbers. And he stole the social security number because therein lay the profit; while there may be some value in oncological medical information for a third party, the bigger risk is in the simpler identity theft opportunity. Keep that in mind when doing your risk analysis and implementing your HIPAA plans.
BNA report
here (paid registration needed), US Attorney
John McKay's press release
here, copy of the plea bargain agreement
here, Puget Sound Business Journal article
here (free registration may be required).
One final point/issue (thanks, John Cody): was Gibson a covered entity? He was an employee of a covered entity, and not an actual covered entity. The issue of whether HIPAA can be enforced against a person who is not a covered entity has generated more heat than light, but here you have a likely non-covered entity admitting to guilt under HIPAA. Interesting.
Jeff [10:31 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template