A former employee of an East Texas Hospital is facing criminal charges for violating the Health Insurance Portability and Accountability Act, more commonly known as HIPAA.
On July 3, 2014, the US Department of Justice announced that charges would be filed against Joshua Hippler, for alleged wrongful disclosure of individually identifiable health information. According to reports from Information Security Media Group, a DOJ spokeswoman in Tyler, Texas said that “the violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records.”
According to the indictment, Hippler—who now faces up to 10 years in prison if convicted—obtained the protected health information of patients with the intent to use the information for personal gain. The alleged theft of the PHI took place between December 1, 2012 and January 14, 2013, while HIPAA was employed by a HIPAA-covered entity.
The DOJ is not releasing the name of the hospital where the incident took place. The investigation was led by agents from the HHS-OIG and the U.S. Postal Inspection Service, which leads us to believe the information must have been obtained or removed via the mailroom at the hospital.
As reported in this blog, there are a variety of identity theft crimes, most commonly IRS Tax ID fraud and credit card fraud that can be easily perpetrated with this type of information.
Hospitals, medical practices and other covered entities should take note some employees do in fact perpetrate criminal acts and should employ safeguards to detect and protect against such acts. Based on the sketchy details of this incident, it appears that this may have been a very low-tech crime – taking information from a mail room. Safeguards that can help prevent violations such as this include criminal background checks as part of the hiring process, creating a culture to support HIPAA privacy, and policies that encourage/require all employees to report any suspicious behavior by coworkers.