criminal penalties

Criminal Penalties for HIPAA Violations

Updated May 3, 2023 – All five ex-employees of Methodist Hospital, and the one non-employee who conspired together to sell protected health information (PHI) have now pleaded guilty to criminal HIPAA violations. They will be sentenced in separate hearings in coming weeks. 

Intentionally disclosing patient information for financial gain carries heavy penalties, including jail.

A federal grand jury in Memphis, Tennessee has indicted five former Methodist Hospital employees for conspiring to unlawfully disclose patient information in violation of HIPAA. The Justice Department announced the indictments on November 10, 2022.  HIPAA’s provisions make it a crime to disclose patient information, or to obtain patient information with the intent to sell, transfer or use such information for personal gain.

Profits from the Sale of PHI

The five former employees allegedly conspired with a non-employee, Roderick Harvey, to disclose and sell protected health information (PHI) of patients involved in car accidents.

According to the indictment, between November 2017 and December 2020, Harvey paid Kirby Dandridge, Sylvia Taylor, Kara Thompson, Melanie Russell, and Adrianna Taber, to provide him with names and phone numbers of Methodist patients who had been involved in motor vehicle accidents. Harvey then sold the information to third persons including personal injury attorneys and chiropractors.

The DOJ says the conspiracy charge carries a maximum penalty of five years imprisonment, a fine of $250,000 and three-year period of supervised release. All six have been charged with conspiracy.

In addition to the conspiracy charge, Dandridge, Taylor, Thompson, Russell, and Taber were each charged with separate violations of disclosing the information to Harvey in violation of HIPAA. That charge carries a maximum penalty of one year imprisonment, a $50,000 fine and a one-year period of supervised release.

Harvey has also been charged with seven counts of obtaining patient information with the intent to sell it for financial gain from November 12, 2017, to September 7, 2019. The DOJ says each of the charges carries a maximum of 10 years in prison, a fine of $250,000, and three years of supervised release.

Sixteen months earlier, Roderick Harvey was indicted by the Tennessee Bureau of Investigation for bribery and computer fraud in relation to confidential Memphis police department records.

An indictment contains allegations, and is only the first step of a prosecution. The defendants are presumed innocent unless and until proven guilty.

HIPAA Enforcement is Alive and Well

HIPAA enforcement includes criminal prosecution for intentionally disclosing protected health information for financial gain or with an intent to harm. The five former hospital employees may not have understood the full scope of their wrongdoing, and how strongly their actions would implicate them personally.

However, a defendant may not use ignorance of the law as a defense. When a person “knowingly” violates HIPAA, it means that they have some knowledge of the facts that constitute the offense, not that they definitely know the specifics of how they are violating HIPAA Rules.

Whether the hospital is also responsible to the Office for Civil Rights (OCR) is a separate question and beyond the scope of today’s blog. Methodist Hospital does not appear to be under investigation by OCR at this time, according to the public breach reporting portal.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124