As a follow up to my August 9, 2011, blog item on “Who Is an ‘Other Individual’ That Can Be Prosecuted for a HIPAA Crime” and the follow-up blog item on September 17, 2011, in which I recounted the indictment of a person who had pretended to be a doctor and had used PHI to fraudulently treat and to get reimbursed for having treated patients, yet another indictment shows just how broad the category is of individuals that can be indicted for a criminal HIPAA violation.
According to an article in the Atlantic Information Systems online publication AISHealth of July 2011, volume 11, issue 7, the Department of Justice on June 28, 2011, indicted a woman whose only apparent connection with a covered entity was that she had been a visitor of a facility. Chelsea Stewart, 26, allegedly stole protected health information (‘PHI”) regarding more than 4,000 surgery patients at Trinity Medical Center in Birmingham, Alabama. When police executed a search warrant in connection with a fraud investigation, they discovered the surgery registration sheets for these patients.
As noted in that article, this indictment does more than just demonstrate how much the category of who can commit a HIPAA crime has expanded. It also indicates that covered entities need to pay as much attention to their paper records as they do their electronic records in terms of HIPAA compliance. Also, perhaps it is time to dust off your visitors policy and check to see whether it is reasonable and appropriate through a risk analysis. Remember to document your risk analysis and keep the documentation for the 6-year retention period for evidence of HIPAA compliance.