Nurse pleads guilty to privacy violation
Posted on Thursday, April 17, 2008
URL: http://www.nwanews.com/adg/News/223026/
A Trumann woman who pleaded guilty to disclosing a patient’s health information is the first person in Arkansas to be convicted under a 5-year-old federal law designed to protect patient privacy, authorities said Wednesday.
Andrea Smith, a 25-year-old licensed practical nurse, pleaded guilty to wrongfully disclosing a patient’s health information for personal gain, according to a statement from Jane W. Duke, U. S. attorney for the Eastern District of Arkansas.
On Nov. 28, 2006, Smith accessed the private health information of an unnamed patient while employed at the Northeast Arkansas Clinic in Jonesboro, according to the Tuesday statement. She then gave the information to her husband, Justin Smith, who called the patient and threatened to use the information against the patient in “an upcoming legal proceeding,” the statement said.
Since the Health Insurance Portability and Accountability Act went into effect on April 13, 2003, there have been 34, 771 complaints of privacy violations, according to the U. S. Department of Health and Human Services Office for Civil Rights.
More than 426 cases have been referred to the U. S. Department of Justice for possible prosecution, but just a fraction of those have resulted in convictions, officials said.
“They are very rare,” said Deven McGraw, director of the Center for Democracy and Technology’s Health Privacy Project, a Washington, D. C.-based nonprofit that advises on health-care privacy policy.
The U. S. Department of Justice does not track how many convictions there have been under the federal law, spokesman Laura Sweeney said.
In Arkansas, a December 2007 indictment charged Andrea and Justin Smith with two counts of conspiracy to wrongfully disclose individual health information for personal gain “with maliciously harmful intent in a personal dispute” with the patient, and one count of witness tampering.
Charges against Justin Smith and two counts against Andrea Smith were dropped in exchange for her guilty plea.
Andrea Smith faces a maximum of 10 years imprisonment, a fine of no more than $ 250, 000, or both, and a term of supervised release of not more than three years. She was fired from her job and is expected to be sentenced in 45 to 60 days.
Duke said Wednesday that no other cases involving violations of the federal health privacy act are now being handled by her office, but added that the office will “vigorously prosecute any intentional HIPAA violation” for which it has jurisdiction.
“What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated,” she said in a Tuesday statement. “Long gone are the days when medical employees were able to snoop around the office files for ‘juicy’ information to share outside the office.”
Jean Zehler, president of the Arkansas Nurses Association, said the case is a reminder to health-care providers nationwide that there are consequences to violating the federal law.
“It should bring to mind to any health-care provider that the law is serious and there is always a need to be careful,” Zehler said. “HIPAA is there for a reason. It is there to protect the rights of the patient.”
The first person to be convicted for violating the federal law was Richard Gibson, a former employee at a cancer clinic in Seattle, news accounts show.
Gibson was sentenced to 16 months in federal prison in November 2004 for taking personal information from a patient’s medical records and using it to obtain credit cards in the patient’s name. He charged more than $ 9, 000 to the credit cards.
More recently, the University of California at Los Angeles Medical Center disciplined an employee and fired 13 others in the past two months after learning they snooped into the medical records of actress Farrah Fawcett, singer Britney Spears and California first lady Maria Shriver.
Most violations are unintentional, McGraw said. For example, facilities have had laptops stolen with personal health information on them, or health plans have inadvertently put personal health information on the Internet, she said.
Such reports can have a “chilling effect” on people considering whether to seek medical care, and enforcement of the federal law has been “disappointing,” McGraw said.
Diane Mackey, assistant professor of health law with the University of Arkansas at Little Rock William H. Bowen School of Law, said since the law went into effect the government “seemed to adopt a position that assisting compliance was the most useful strategy for achieving compliance.”
Of the 34, 771 complaints received, 27, 796, or 79. 9 percent, have been resolved, according to the Office for Civil Rights. No violations were found in 2, 952 of the resolved cases, and privacy policy changes or other corrective actions were required in 5, 971 of the cases.
In the remaining 18, 873 resolved cases, the office determined complaints were either out of its jurisdiction, untimely or withdrawn, or didn’t violate the law.
The Arkansas State Board of Nursing opened a complaint against Andrea Smith on Wednesday after learning of the federal conviction, said Fred Knight, the board’s general counsel.
The board governs nurse licensing in the state.
In his 10 years with the board, Knight said, he doesn’t know of a case in which a person has taken patient information to use it in a malicious way.
“That’s a serious offense,” he said.