Criminal HIPAA case targets employee, not clinic, for breach

Still, legal experts warn of state civil liabilities for physician practices in such situations.

By Amy Lynn Sorrel, AMNews staff. July 14, 2008.

The latest HIPAA criminal case may signal more aggressive efforts by the government to root out privacy breaches, while highlighting some legal risks for doctors and other "covered entities" for violations made by their employees, experts said.

A former Northeast Arkansas Clinic employee recently entered a guilty plea with the U.S. Attorney for the Eastern District of Arkansas for allegedly wrongfully disclosing a patient's protected health information and using it for personal gain and malicious intent.

Andrea Smith, a clinic nurse, accessed the unnamed patient's medical file and shared the contents with her husband. He later told the patient he planned to use the private information in an upcoming legal proceeding, according to the indictment.

The Arkansas case is believed by legal observers to be only the fourth criminal case brought under the Health Insurance Portability and Accountability Act since its medical records privacy rules went into effect in 2003.

U.S. Attorney Jane W. Duke said in a statement that HIPAA criminal prosecution is a "fairly new concept." At the same time, however, she issued a warning that the federal government intends to pursue "vigorous enforcement" of the privacy protections.

"What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated," Duke stated following Smith's April plea agreement.