Doctor is Arrested for Stealing Thousands of Patient RecordsFebruary 16, 2015 – In The News
Michael Kline and Elizabeth Litten were quoted in the Medical Practice Compliance Alert article “Doctor is Arrested for Stealing Thousands of Patient Records.” Full text can be found in the February 16, 2015, issue, but a synopsis is below.
A theft of patient protected health information may invoke more than federal and state privacy laws. It can also mean criminal charges under state penal laws.
Radiologist James Kessler learned the hard way when he was arrested for stealing the PHI of nearly 100,000 patients.
“There is no indication that it was difficult for Kessler to do this. He didn’t treat all 100,000 patients, so why did he have the ability to copy all of those files? There are technical safety mechanisms and audit controls to limit that access,” explained Elizabeth Litten.
In some situations, ownership of some records may need to be negotiated, and the contract may need to specify who gets which records in the event of a separation. For example, if a physician brings patients to a practice, the employee may be entitled to own and take those patients’ records, noted Michael Kline.
"Implement safeguards to reduce the risk that an employee can access records outside of his or her job responsibilities. Also ensure that the practice provides HIPAA training, so that if an employee does violate HIPAA the action is less likely to be attributed to the employer," says Kline.
also advises to make sure that the employment agreement complies with state
law. "Many states have laws regarding the
reach of an employment agreement with physicians, such as reasonable
noncompetes and continuity of care provisions," she says. "For instance, it
varies whether an individual doctor or the practice itself is seen as having
the relationship with the patients; there may even be state laws on the rights
of patients in the event of a physician’s separation from a practice."
Litten explains that it is important to have an action plan to handle data breaches. "Be prepared to investigate an incident that may be a security breach using the four steps required by HIPAA’s breach-notification requirements to see whether the breach needs to be reported," she notes. "Also be prepared to report a breach not only to the HHS and the state under HIPAA and state-notification laws but also to law enforcement when dealing with criminal activity such as theft and hacking."