July 21, 09

NEWS / Doctor and Two Former Hospital Employees Plead Guilty to HIPAA Violations

LITTLE ROCK, AR—Jane W. Duke, United States Attorney for the Eastern District of Arkansas, along with Thomas J. Browne, Special-Agent-in-Charge of the Little Rock Division of the Federal Bureau of Investigation, announced today the guilty pleas of Dr. Jay Holland, age 56, of Little Rock, Arkansas; Sarah Elizabeth Miller, age 28, of England, Arkansas; and Candida Griffin, age 34 of Little Rock, Arkansas. Each pled to a misdemeanor violation of the health information privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) based on their accessing a patient’s record without any legitimate purpose. The pleas were accepted by United States Magistrate Judge Henry L. Jones, Jr.

Dr. Holland, Medical Director of Select Specialty Hospital, located on the 6th floor of the St. Vincent Infirmary Medical Center (SVIMC), admitted that after watching news reports on television, he logged on to the SVIMC patient records from his computer at home and accessed a patient’s files to determine if the news reports were accurate. He stated he then logged off the computer admitting that it was inappropriate for him to be looking at the file. He admitted he accessed the file because he was curious. Dr. Holland stated that he had had HIPAA training and that he understood he was violating HIPAA when he accessed the file. SVIMC suspended Dr. Holland’s privileges for two weeks and required him to complete on-line HIPAA training.

Sarah Elizabeth Miller, formerly an account representative at SVIMC, Sherwood Campus, was responsible for checking patients in and out of the clinic and for processing patient billing. In order to perform her duties, she had access to the SVIMC patient records program which includes all locations, not just that of the Sherwood clinic. Miller admitted that on October 20 and 21, 2008, she accessed a patient’s files approximately 12 times out of curiosity. She admitted that she accessed the records without any legitimate purpose. Records show that Miller was trained on HIPAA privacy laws by SVIMC. SVIMC fired Miller from her position.

Candida Griffin was the emergency room unit coordinator at SVIMC. Her responsibilities were secretarial in nature—ordering patient tests and data entry into electronic patient files for patients in the emergency room. Griffin admitted that on October 20, 2008, she was told by the charge nurse to set-up an alias for a particular patient admitted to the emergency room. On October 21, 2008, after the patient had been moved to ICU, Griffin admitted that she became curious about the patient’s status and accessed the medical chart to find out if the patient was still living. Griffin did not inform anyone about accessing the chart however, hospital records show that the patient’s records were accessed three times that day by Ms. Griffin. SVIMC records show that Griffin was trained on HIPAA privacy laws. SVIMC fired Griffin from her position.

Pursuant to plea agreements with the United States, Holland, Miller and Griffin pleaded guilty to a misdemeanor a violation of the health information privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) based on their accessing a patient’s record without any legitimate purpose. Each faces a maximum penalty of one year imprisonment, a fine of not more than $50,000, or both. A sentencing date has not yet been set, but it is anticipated to be within the next 45-60 days.

“The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others’ medical records merely to satisfy their own curiosity,” stated Duke.

To report a HIPAA violation, follow the instructions at the US Department of Health and Human Services Office for Civil Rights website: www.hhs.gov/ocr/privacyhowtofile.htm or call 214-767-4056, the regional office with oversight over violations occurring in Arkansas.

This case was investigated by the Little Rock Division of the Federal Bureau of Investigation and was prosecuted by Assistant U.S. Attorney Laura G. Hoey.