An Arkansas woman who pled guilty to disclosing a patient’s health information was the first in her state to be convicted under the Health Insurance Portability and Accountability Act (HIPAA).

Andrea Smith, a 25-year-old woman from Trumann, AR, admitted to wrongfully disclosing individually identifiable health information for personal gain, according to a statement from Jane W. Duke, United States Attorney for the Eastern District of Arkansas.

Smith, a licensed practical nurse, accessed an unidentified patient’s medical record on November 28, 2006, while working at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR. Andrea Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against the patient in “an upcoming legal proceeding,” according to the statement. Upon discovery of the HIPAA breach, NEAC fired Andrea Smith.

A December 2007 indictment changed Andrea Smith with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Two counts were dropped against Smith, as well as charges against her husband, in exchange for her guilty plea.

Smith faces a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years, the statement said. The Arkansas State Board of Nursing has opened a complaint against Smith after learning of the federal conviction, according to the Arkansas Democrat Gazette.

The first Department of Justice HIPAA prosecution was initiated in 2004 in the Western District of Washington, but since then only a “handful” of cases have been prosecuted, US attorney officials said.

However, the case is a reminder of the consequences for breaking HIPAA privacy protections, Duke said. “What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated,” Duke stated. “Long gone are the days when medical employees were able to snoop around the office files for ‘juicy’ information to share outside the office. We are committed to providing real meaning to HIPAA.