Former Patient Coordinator Criminally Convicted of HIPAA Violations
On June 28, 2018, a former patient coordinator for the University of Pittsburgh Medical Center (UPMC) was indicted by a federal grand jury on six counts for wrongfully obtaining and disclosing protected health information (PHI). The Federal Bureau of Investigation handled this case and brought it to indictment.
Linda Kalina was employed at Tri Rivers Musculoskeletal Centers (a UPMC affiliate) from March 2016 through June 2017 and later at Allegheny Health Network through August 2017. In her role as a patient coordinator, Kalina had access to medical records and patient information. Following the investigation, Kalina was arrested and charged with obtaining access to PHI of 111 patients without authorization or any legitimate work related reason. Additionally, Kalina was charged with obtaining and disclosing the PHI of three patients with intent to cause malicious harm. If found guilty on all charges, the former health care employee could face a maximum sentence of 11 years in federal prison, a fine of $350,000, or both.
Theft and inappropriate access of PHI is a serious matter and punishable to the full extent of the law. The Department of Justice has pursued several other cases resulting in prison sentences. Some examples from this year include:
- June 2018: Former employee at the Veteran Affairs Medical Center in Long Beach, CA, was sentenced to serve 3 years in jail for theft of the PHI of 1,030 patients.
- April 2018: Former dental practice receptionist in New York was sentenced to serve 2 to 6 years in prison for theft of the PHI of 650 patients linked to credit card fraud.
- February 2018: Former behavioral analyst at the Transformations Autism Treatment Center in Bartlett, TN was sentenced to 1 month in prison, 3 years supervised release, and was instructed to pay $14,941.36 in indemnity after downloading the PHI of 300 current and former patients to a personal computer.
Employees must be aware of the serious implications of HIPAA violations. Access to PHI should be limited to “business or clinical need” only and should never be for any personal reason. Hefty fines and possible jail time are not uncommon and can happen to anyone handling private information. Remember to always make privacy a priority and to contact the Office of Privacy & Data Security with questions or concerns.