A federal grand jury in Pennsylvania has indicted a former patient coordinator on several counts of wrongfully obtaining and disclosing the health information of others. The case is the latest rare example of prosecutors pursuing criminal charges for HIPAA violations.
The U.S. Department of Justice in a statement, notes the six-count indictment was returned on June 28 against Linda Sue Kalina, 61, of Butler, Pa. Kalina faces a potential maximum total sentence of 11 years in prison, a fine of $350,000, or both.
According to the indictment, Kalina, while employed as a patient information coordinator by the University of Pittsburgh Medical Center, and then as a patient access coordinator by the Allegheny Health Network, wrongfully obtained health information in violation of HIPAA from March 30, 2016, through August 14, 2017, relating to 111 individual patients.
The indictment also charges that on four occasions between Dec. 30, 2016, and August 11, 2017, Kalina wrongfully disclosed the health information of three individuals, with the intent to cause "malicious harm."
Prosecutors allege that in her capacity working at UPMC with its affiliated Tri Rivers Musculoskeletal Centers, and later at AHN, Kalina was authorized to access patient information contained in the organizations' electronic medical records systems "as necessary to provide services to patients or as otherwise authorized by a patient or the law."
Court documents do not specify the "malicious harm" that Kalina allegedly intended to cause by wrongfully disclosing patient information.
Kalina was expected to post unsecured bond in the amount of $10,000 on June 28, court records show. As of July 3, no further information was available from the court about Kalina's next scheduled appearance.
Prosecutors handling the Kalina case did not immediately respond to Information Security Media Group's inquiries, including the type of "malicious harm" allegedly intended by Kalina.
In general, the prosecution of criminal HIPAA violation cases is still pretty rare, although over the last several years a number of such cases have hit the courts, including a few convictions, some legal experts note.
"HIPAA criminal cases will certainly continue, and may even grow," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"However, it is critical for 'typical' people working in the healthcare industry to understand that these criminal prosecutions do not involve complicated HIPAA judgments or emails sent to the wrong person - basically every HIPAA criminal prosecution that has been brought involved some other crime as well, or some clear intentional wrongdoing," Nahra says.
"These were not training failures or interpretation mistakes. For covered entities, these situations are simply the most egregious results of insider problems - typically where an insider is doing something illegal despite HIPAA," he says.
UPMC declined to comment on the Kalina case. AHN did not immediately respond to ISMG's request for comment on the Kalina case.
Among the rare convictions in criminal HIPAA cases, a jury in a federal court in Massachusetts in April convicted Rita Luthra, a former gynecologist at a Springfield, Mass. women's health center, of violating HIPAA, as well as obstructing a criminal healthcare investigation (see Former Physician Convicted of Criminal HIPAA Violation).
However, the case against Luthra was related to a larger, complex federal healthcare fraud case prosecuted against pharmaceutical maker Warner Chilcott.
Also among other criminal cases involving HIPAA was a 2013 case involving Denetria Barnes, a former nursing assistant at a Florida assisted living facility, who was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.
And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
While those cases involved multiyear federal prison sentences, most other defendants sentenced for criminal HIPAA violations have generally gotten lighter sentences.
For example, in November 2014, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal email account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy (see Sentencing in S.C. Medicaid Breach Case).
And in a 2010 case, former UCLA Healthcare System surgeon Huping Zhou, M.D., was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others (see HIPAA Violation Leads to Prison Term).
Lessons to Learn?
So what lessons can healthcare entities learn from these criminal HIPAA cases involving insiders?
"Covered entities need to have an effective way of monitoring employee activity involving patient records, and taking action to enforce appropriate policies and procedures where they are needed," Nahra says.
"Not all insider problems lead to criminal situations - some do require better training or more guidance - but some will involve these most egregious situations where there is an intention to do harm."