A former medical technician was was caught selling electronic protected health information (ePHI) which include the names, addresses, dates of birth and Medicare numbers of patients, along with blank hospital prescription forms and receiving about $500 to $800 in cash for each transaction. After receiving the prescription pads and patient information, the buyer forged prescriptions for oxycodone and filled them at various pharmacies.
She was sentenced to three years of probation including six months in a halfway house, ordered to perform 100 hours of community service and fined $2,100 for violating HIPAA rules.
"Health care providers have an obligation to closely guard their patients’ confidentiality,” said U.S. Attorney Machen. “Patients deserve to have their personal information kept private, not sold for cash in a scheme to forge prescriptions for painkillers. This felony conviction confirms that private patient information is a trust to be protected, not a commodity to be sold to the highest bidder.”
Small medical practices have a duty to protect their patients’ records even if an employee such as this one criminally violates HIPAA. Have you identified what documents are easy to access in your practice? Beyond data encryption are you looking for other potential breaches? What processes are you using to safeguard ePHI?