Governance , HIPAA/HITECH , Privacy
Former Patient Coordinator Wrongfully Disclosed Patient Information(HealthInfoSec) • March 8, 2019A former patient coordinator at UPMC, a medical center in Pittsburgh, has pleaded guilty to wrongfully disclosing health information in a rare case involving criminal prosecution for violating HIPAA.
See Also: Live Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.
The Department of Justice says Linda Sue Kalina, 61, pleaded guilty in a Pittsburgh federal court to one count of unlawfully disclosing patient information.
Kalina had been indicted by a federal grand jury last June on six counts, including wrongfully obtaining and disclosing health information in violation of HIPAA, and wrongfully disclosing health information with the intent to cause malicious harm.
Prosecutors say Kalina worked from March 7, 2016, through June 23, 2017, as a patient information coordinator at UPMC and its affiliate, Tri Rivers Musculoskeletal Centers in Mars, Pennsylvania. Prosecutors charge that Kalina, in violation of HIPAA, improperly accessed the health information of 111 UPMC patients who had never been provided services at TRMC.
"Specifically, on Aug 11, 2017, Kalina unlawfully disclosed personal gynecological health information related to two such patients, with the intent to cause those individuals embarrassment and mental distress," the Justice Department statement says.
Sentencing is slated for June 25. The law provides for a sentence of up to 10 years in prison, a fine of up to $250,000, or both, the Justice Department says. Kalina remains free on bond pending the sentencing hearing.
The other counts against Kalina will be a factor when the U.S. district judge sentences her in June, according to a March 7 news story in the Pittsburgh Post Gazette.
Revenge for Firing?
Prosecutors said Kalina's disclosures of patient information involved the medical records of two employees of a construction company where Kalina had worked for 24 years before being fired, according to the Post Gazette.
Prosecutors said Kalina accessed patient files of two Frank J. Zottola Construction company employees and sent an email to the firm's controller in June 2017 in which she revealed gynecological records for one of them identified as "P.W.," a woman who had taken her place at Zottola as office manager, according to the Post Gazzete.
Kalina also allegedly left a voicemail on the company's answering machine in August 2017 revealing medical information about P.W. and another employee, "C.C." That disclosure is the count to which she pleaded guilty, the newspaper reports.
The Frank J. Zottola Construction firm and UPMC both declined to comment on the case.
Rare Cases
Criminal prosecutions of HIPAA violation cases remain relatively rare.
"U.S. attorneys have great discretion in investigating, enforcing and resolving criminal cases under the HIPAA statute," notes privacy attorney David Holtzman, executive adviser at security consulting firm CynergisTek.
"What we have seen to date is that most HIPAA violations are prosecuted as a lesser offense [as part of] other crimes like healthcare fraud, activity involving cybercrimes or threats to a law enforcement officer or public official," he notes.
The facts of a case play into a finding that HIPAA was violated, he adds. In the case involving Kalina, "it is important to view this in the larger context of the motivation of why this patient coordinator at a pair of large regional health systems was misusing her authorized access to protected health information," he says.
"This individual accessed the records of scores of patients over a period of 18 months. She targeted the employees and managers of a local construction company that was a former employer, ultimately disclosing PHI in order to embarrass and harass them," he notes.
"The HIPAA criminal statute is in place precisely because even the best information security controls can be defeated by a determined insider who looks to violate the confidentiality or corrupt the integrity of a patient's PHI."
One reason for the small number of criminal cases for violation of the HIPAA statute is the limited availability of resources of the Department of Justice, Holtzman says. "It requires a lot of time and effort to investigate and prosecute a criminal case involving the HIPAA statute," he notes.
Other HIPAA Criminal Cases
Among the previous convictions in criminal HIPAA cases, a jury in a federal court in Massachusetts in April convicted Rita Luthra, a former gynecologist at a women's health center in Springfield, Massachusetts, of violating HIPAA as well as obstructing a criminal healthcare investigation (see Former Physician Convicted of Criminal HIPAA Violation).
The case against Luthra, however, was related to a larger, complex federal healthcare fraud case prosecuted against pharmaceutical maker Warner Chilcott.
Another criminal case involving HIPAA in involved Denetria Barnes, a former nursing assistant at a Florida assisted living facility, who was sentenced in 2013 to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.
And also in 2013, Helene Michel, the former owner of a Long Island, New York, medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
While those cases involved multiyear federal prison sentences, most other defendants convicted of criminal HIPAA violations have generally gotten lighter sentences.