Updated May 3, 2023 – All five ex-employees of Methodist Hospital, and the one non-employee who conspired together to sell protected health information (PHI) have now pleaded guilty to criminal HIPAA violations. They will be sentenced in separate hearings in coming weeks.
Intentionally disclosing patient information for financial gain carries heavy penalties, including jail.
A federal grand jury in Memphis, Tennessee has indicted five former Methodist Hospital employees for conspiring to unlawfully disclose patient information in violation of HIPAA. The Justice Department announced the indictments on November 10, 2022. HIPAA’s provisions make it a crime to disclose patient information, or to obtain patient information with the intent to sell, transfer or use such information for personal gain.
Profits from the Sale of PHI
The five former employees allegedly conspired with a non-employee, Roderick Harvey, to disclose and sell protected health information (PHI) of patients involved in car accidents.
According to the indictment, between November 2017 and December 2020, Harvey paid Kirby Dandridge, Sylvia Taylor, Kara Thompson, Melanie Russell, and Adrianna Taber, to provide him with names and phone numbers of Methodist patients who had been involved in motor vehicle accidents. Harvey then sold the information to third persons including personal injury attorneys and chiropractors.
The DOJ says the conspiracy charge carries a maximum penalty of five years imprisonment, a fine of $250,000 and three-year period of supervised release. All six have been charged with conspiracy.
In addition to the conspiracy charge, Dandridge, Taylor, Thompson, Russell, and Taber were each charged with separate violations of disclosing the information to Harvey in violation of HIPAA. That charge carries a maximum penalty of one year imprisonment, a $50,000 fine and a one-year period of supervised release.
Harvey has also been charged with seven counts of obtaining patient information with the intent to sell it for financial gain from November 12, 2017, to September 7, 2019. The DOJ says each of the charges carries a maximum of 10 years in prison, a fine of $250,000, and three years of supervised release.
Sixteen months earlier, Roderick Harvey was indicted by the Tennessee Bureau of Investigation for bribery and computer fraud in relation to confidential Memphis police department records.
An indictment contains allegations, and is only the first step of a prosecution. The defendants are presumed innocent unless and until proven guilty.
HIPAA Enforcement is Alive and Well
HIPAA enforcement includes criminal prosecution for intentionally disclosing protected health information for financial gain or with an intent to harm. The five former hospital employees may not have understood the full scope of their wrongdoing, and how strongly their actions would implicate them personally.
However, a defendant may not use ignorance of the law as a defense. When a person “knowingly” violates HIPAA, it means that they have some knowledge of the facts that constitute the offense, not that they definitely know the specifics of how they are violating HIPAA Rules.
Whether the hospital is also responsible to the Office for Civil Rights (OCR) is a separate question and beyond the scope of today’s blog. Methodist Hospital does not appear to be under investigation by OCR at this time, according to the public breach reporting portal.