Archive for January, 2013
A federal district court judge January 18 sentenced a former registration clerk to 12 months and one day in federal prison for his role in stealing the information of Florida Hospital patients. As part of his sentence, Dale Munroe, II, 35, of Winter Haven, Fla., was also ordered to serve a two-year term of supervised release. Munroe pleaded guilty on October 22, 2012.
According to court documents, Munroe was hired at the Celebration, Fla., location of Florida Hospital in July 2006. During his employment, he worked as a registration representative in the Emergency Department, where he would register patients as they came in the main emergency entrance. From January 2009, until his termination in July 2011, Munroe used his position to obtain individually identifiable health information of patients of Florida Hospital who had been involved in motor vehicle accidents.
Munroe would then disclose that information to Sergei Kusyakov, who was involved in the operation of two chiropractic clinics (Metro Chiropractic and Wellness Center and City Lights Medical Center). Kuskyakov and other conspirators would then use the stolen information to solicit Florida Hospital patients for chiropractic and legal services. Kusyakov would pay Munroe for his role in providing the stolen information. On July 12, 2011, Munroe was terminated by Florida Hospital for a patient data breach that was unrelated to the conspiracy described above.
Approximately a week after his termination, Katrina Munroe, 30, of Winter Haven, Munroe’s wife and also an employee of Florida Hospital, was recruited by the conspirators to take over the role of stealing patient data and providing it to Kusyakov. In August 2012, Katrina Munroe was terminated from her position at the hospital, after becoming a suspect in a data breach incident. In December 2012, she pleaded guilty to her role in the conspiracy. She faces a maximum penalty of five years in federal prison. Her sentencing hearing has been set for March 11, 2013.
On January 7, 2013, Sergei Kusyakov (38, Davenport) pleaded guilty to one count of conspiracy and four counts of wrongful disclosure of individually identifiable health information. He faces a maximum penalty of 45 years in federal prison. His sentencing hearing has been set for March 25, 2013.
OCR has published fresh guidance on what a business associate contract should include. This is an update to old guidance issued when the HIPAA Privacy Rule first went into effect, according to HIPAA Blog.
OCR lays out in its guidance 10 things a contract between a covered entity and a business associate must do.
The Kennedys have a way of making headlines. They owned the 20th century with a U.S. ambassador, U.S. congressmen and senators, a U.S. attorney general, war heroes, mayors, magazine publishers, and, of course, the 35th president of the United States.
And now they’re still making headlines — but for HIPAA?
Douglas Kennedy, son of the late Robert F. Kennedy, U.S. attorney general under his brother and presidential candidate until his assassination in 1968, is suing two nurses and Northern Westchester Hospital in Mount Kisco, NY, over a 2012 incident involving his newborn son. In short, Kennedy tried to take his newborn out for fresh air, the nurses tried to stop him, and the nurses allege Kennedy assaulted them. A jury last November acquitted Kennedy of endangerment of a child and two counts of physical harassment against the nurses.
So how HIPAA?
Well, Kennedy’s lawsuit against the nurses claims that there were unauthorized disclosures of Molly Kennedy’s (the baby’s mom) PHI, including her medical records, as well as her infant son’s medical records and a video surveillance tape from January 7. The lawsuit charges assault, intentional infliction of emotional distress, defamation, and malicious prosecution — and also a breach of confidentiality on the part of the hospital and the nurses.
As we all know, HIPAA allows disclosures to law enforcement, but under certain circumstances. HHS nicely lays out the privacy rule’s law over disclosures to law enforcement.
The question over this lawsuit is did the hospital act within its rights to release this information?
What do you think will happen?
Another laptop has gone stolen from a hospital employee’s car.
Lucile Packard Children’s Hospital at Stanford and the Stanford University School of Medicine notified patients by mail that a password-protected laptop computer containing limited medical information on pediatric patients was stolen from a physician’s car away from campus on the night of January 9.
This incident was reported to Packard Children’s and the School of Medicine on January 10.
The medical information on the stolen laptop was predominantly from 2009 and related to past care and research. The patient data did not include financial or credit card information, nor did it contain Social Security numbers or any other marketable information. It did include names and dates of birth, basic medical descriptors, and medical record numbers, which are used only by the hospital to identify patients. In some cases, there was limited contact information. There is no indication that any patient information has been accessed or compromised.