Arkansas HIPAA Violator Sentenced
An Arkansas woman who was the first in her state to be prosecuted under the Health Insurance Portability and Accountability Act (HIPAA) was sentenced to probation and community service.
Andrea Smith, a 25-year-old woman from Trumann, AR, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient’s health information for personal gain, according to Cherith Beck, public information officer with the United States Attorney for the Eastern District of Arkansas.
US District Judge Susan Weber Wright advised Smith during the sentencing on how she should spend her community service hours. “The judge suggested she educate others on the consequences of violating the Health Insurance Portability and Accountability Act,” Beck said.
While working as a licensed practical nurse at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR, Smith accessed an unidentified patient’s medical record on November 28, 2006. Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against him or her in “an upcoming legal proceeding,” according to an Eastern District of Arkansas US Attorney press release.
Upon discovery of the HIPAA breach, NEAC fired Smith, and in December 2007 a federal indictment charged her with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Eventually one criminal count was dropped against Smith, as well as charges against her husband, in exchange for her guilty plea to one remaining count on April 15, 2008. NEAC was not charged in connection with the case.
Smith faced a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years.
The Arkansas State Board of Nursing will review a complaint filed against Smith on Feb. 11, when they will decide if her nursing license will be suspended or revoked, according to Arkansas State Board of Nursing Executive Director Faith Fields. Smith’s nursing license is currently expired.
The case is a reminder of the consequences for breaking HIPAA privacy protections, said Eastern District of Arkansas US Attorney Jane Duke, after Smith’s guilty plea.
“What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated,” Duke stated. “Long gone are the days when medical employees were able to snoop around the office files for ‘juicy’ information to share outside the office. We are committed to providing real meaning to HIPAA.”
Chris Dimick (chris.dimick@ahima.org) is staff writer at the Journal of AHIMA.
After reading this article and having worked in the healthcare field for serveral years, I applaude the state of Arkansas for their decision. Being a victim of HIPPA confidentiality breach with my own medical information years ago this is truely a victory. It also sends a serious message to facilities and their employees to hold patient information in the strictes confidence. It is very unfortunate this situation as well as my own years ago happened but situations like these are what have lead to this ruling in Arkansas.
— Winifred L. Allen
December 11th, 2008 at 3:03 pm
I cannot believe in this day and age and all the training and information that someone in the medical field is so blatantly thumbing their nose at the HIPPA guidelines.
I guess nothing should surprise me. I live in Illinois with the worlds most famous governor!
— Pamela Nelson
December 15th, 2008 at 11:49 am