Ann W. Latner, J.D.

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Legal background

Since HIPAA went into effect in 2003, more than 34,000 complaints of privacy violation have been filed. Most complaints (about 80%) were resolved. Many were simply dismissed. Often, a warning was issued or the matter was pursued in civil court.

About 400 of the unresolved cases have been referred to the federal Department of Justice, but only a handful have been prosecuted. This is likely to change, however, as violations are taken more seriously and as the government gears up for these types of cases.

While some HIPAA violations are inadvertent—a stolen laptop with patient records on it, for example—Ms. A's actions struck at the heart of what HIPAA is supposed to avoid. She accessed patient records; gathered information; and then provided that information to someone else, knowing it would be used in a way that was harmful to the patient. Her prosecution was meant to set an example and warn HIPAA-covered entities that the regulation is serious and must be upheld.

Protecting yourself

Ms. A's actions could have put the clinic itself in danger of prosecution, but management handled the situation in the best way possible. Her supervisor fired her on the spot after the patient notified him of the breach. Then, without delay, Dr. P called a meeting to educate staff members—both clinical and clerical—about HIPAA's provisions, their purpose, the importance of patient privacy, and what can happen in the event of a violation. As an employer, it is essential that you not wait for an incident to occur.

The best way to protect yourself is to ensure that your employees understand HIPAA regulations. Educate your employees upon hire and periodically thereafter. Keep written records detailing clinic policy and include it in all employee manuals or handbooks. In this way, you will protect both yourself and your employees.