Another State, Another Personal Violation Charge

The US Attorney General's Western District of Tennessee reports that federal grand jury has indicted five former Methodist Hospital Employees for unlawfully disclosing patient information in violation of HIPAA. These ex-workforce members were allegedly paid between November 2017 and December 2020 to provide names and phone numbers of Methodist patients who had been involved in motor vehicle accidents. The buyer then reportedly sold that information to third persons including personal injury attorneys and chiropractors.

"Of course we hire only honorable people, not like those criminals", is what you're saying to yourself, and we're sure that Methodist Hospital thought the same thing prior to learning to the (alleged) contrary. This is one reason that we support and encourage our partner-clients to ensure they comply with § 164.308(a)(1)(ii)(D), Information System Activity Review (i.e. to have procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports) and with § 164.312(b), Audit Controls (to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information).

While we wish we didn't have to read about such behaviors, it is better you find out and report, ahead of someone else doing the same. We also encourage each HIPAA-bound entity to educate their workforce. Each of the people listed in this case face a maximum penalty of one year imprisonment, a $50,000 fine and a one-year period of supervised release - and that's just the HIPAA part of the law. Click the graphic below to read about the other laws that apply and the total amount of prison time (etc.) each faces - YIKES!

In the meantime, do those audits and...

Stay (HIPAA) safe, Alan -