A former healthcare worker has been sentenced to two years in prison for illegally accessing and disclosing the health records of Supreme Court Justice Ruth Bader Ginsburg. The case centers on the defendant’s actions in 2019, when public speculation about Ginsburg’s health was widespread.
The defendant, a transplant coordinator for an organ procurement and transplantation network in the Washington, DC, area, had access to hospital records across the region. In 2019, he accessed Ginsburg’s private medical data and disclosed it on various internet forums. Prosecutors said the defendant also posted a false claim that Ginsburg had already died, fueling public speculation.
Although the jury convicted the defendant earlier this year of illegally accessing and altering the health records, they acquitted him on the charge of posting the false claim of Ginsburg’s death due to insufficient evidence.
The defendant denied knowingly accessing the records, suggesting that his cat may have triggered the search by walking across his keyboard. The jury rejected this defense.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requires facilities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (ePHI). Facilities must ensure the confidentiality of all ePHI they create, receive, maintain, or transmit. The Security Rule defines confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of protected health information (PHI). Facilities must provide for appropriate authorization and supervision of workforce members who work with ePHI. All workforce members must be trained regarding security policies and procedures, and facilities must have and apply appropriate sanctions against workforce members who violate the policies and procedures.
Discussion Points
- Healthcare facilities should regularly review and update their policies and procedures related to HIPAA, PHI, and Privacy to ensure they are aligned with current regulations and best practices. Ensure policies specifically address preventing staff from impermissibly accessing PHI and ePHI, particularly under circumstances where personal or confidential data may be exposed.
- Train all staff on HIPAA, PHI, and Privacy, minimally upon hire and annually. Training should cover the significance of ePHI, the legal requirements around confidentiality, and the proper handling of sensitive patient information. Documentation of these training sessions should be maintained, and signed training acknowledgment forms should be kept in each employee’s education files.
- Facilities should conduct periodic audits to ensure that their policies and procedures regarding HIPAA, PHI, and Privacy are being followed by all staff. Audits should check for unauthorized access to ePHI and PHI, ensuring that access is only granted for legitimate work-related purposes. These audits should also assess the understanding and competency of staff members regarding HIPAA policies to ensure compliance and prevent breaches.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*