Arkansas HIPAA Violator Sentenced

An Arkansas woman who was the first in her state to be prosecuted under the Health Insurance Portability and Accountability Act (HIPAA) was sentenced to probation and community service.

Andrea Smith, a 25-year-old woman from Trumann, AR, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient’s health information for personal gain, according to Cherith Beck, public information officer with the United States Attorney for the Eastern District of Arkansas.

US District Judge Susan Weber Wright advised Smith during the sentencing on how she should spend her community service hours. “The judge suggested she educate others on the consequences of violating the Health Insurance Portability and Accountability Act,” Beck said.

While working as a licensed practical nurse at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR, Smith accessed an unidentified patient’s medical record on November 28, 2006. Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against him or her in “an upcoming legal proceeding,” according to an Eastern District of Arkansas US Attorney press release.

Upon discovery of the HIPAA breach, NEAC fired Smith, and in December 2007 a federal indictment charged her with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Eventually one criminal count was dropped against Smith, as well as charges against her husband, in exchange for her guilty plea to one remaining count on April 15, 2008. NEAC was not charged in connection with the case.

Smith faced a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years.

The Arkansas State Board of Nursing will review a complaint filed against Smith on Feb. 11, when they will decide if her nursing license will be suspended or revoked, according to Arkansas State Board of Nursing Executive Director Faith Fields. Smith’s nursing license is currently expired.

The case is a reminder of the consequences for breaking HIPAA privacy protections, said Eastern District of Arkansas US Attorney Jane Duke, after Smith’s guilty plea.

“What every HIPAA-covered entity needs to realize and reinforce to its employees is that the privacy provisions of HIPAA are serious and have significant consequences if they are violated,” Duke stated. “Long gone are the days when medical employees were able to snoop around the office files for ‘juicy’ information to share outside the office. We are committed to providing real meaning to HIPAA.”

Chris Dimick ( is staff writer at the Journal of AHIMA.


  1. After reading this article and having worked in the healthcare field for serveral years, I applaude the state of Arkansas for their decision. Being a victim of HIPPA confidentiality breach with my own medical information years ago this is truely a victory. It also sends a serious message to facilities and their employees to hold patient information in the strictes confidence. It is very unfortunate this situation as well as my own years ago happened but situations like these are what have lead to this ruling in Arkansas.

    Post a Reply
  2. I cannot believe in this day and age and all the training and information that someone in the medical field is so blatantly thumbing their nose at the HIPPA guidelines.
    I guess nothing should surprise me. I live in Illinois with the worlds most famous governor!

    Post a Reply
  3. I had my PHI leaked alongsidemy full name over 4 times along with lies by a dr.’s wife. The OCR said they would ask her to correct the 1st instance, but would hear no more complaints from the complaintaint (myself) abbout the leaking of my PHI on public physician rating websites. The problem being after I left this office the wife got into my file and wrote lies; such asme being fired as a patient, and that I always asked for early refills(which my ins. won’t even cover), it took me months and multiple, very embarassing visits and calls before I was able to get a dr. to look at my medical record to see nothing matched what she said. Who should I talk to. Neither her or her husband have been in any trouble & I am wracked w/sickness & pain because I can’t remove it from my file. HELP!!!!!

    Post a Reply
  4. go to have the law for older people

    Post a Reply
  5. People don’t kid your selves that you can file a valid complaint with the ocr and expect them to do anything.
    First do the math, the ocr says on Thier Web site that they took in over 138,000 hipaa complaints and resolved over 96% of v them but yet they only sent 570 complaints to the DOJ! That’s 1/2%. The ocr is a department under hhs, they have no power or authority to investigate or prosicut any crimes period. All they and do is impose civil monitory penalties for civil violations. They are suppose to forward all criminal complaints to the DOJ but they don’t 99.5 times out of a 100. The FBI has c the power to investigate criminal hipaa violations in fact they are the only federal agency that can. But if you call them about a hipaa complaint all they will do is tell you to file with the ocr, if you try and stay on the phone with them, they just hang up on you.
    Don’t belive me, just try it. Also use the Fredoom of information Act to get all the copies of of hipaa complaints of you favorite hospital, they have to give them to you. You will be surprised to see that if the ocr even read your complaint, the most they will do is sent a letter to the hospital, tell them what you said and ask them to do a self investigation. I’m sure you’ll find the same thing I did and that was the hospitals always say they could find no evidence of the claim. At that point the ocr simply closes the case and calls it resolved. I kid you not!
    How ever all is not. There has been some criminal procicutions from good American prosicutor like Jane Duke but other than her the only ones have been as bi prodcuts other investigation or when the privlaged few have Thier rights violated. If you want justice for having you hipaa rights violated you will have to have the services of a connected attorney to get you complaint past the ocr and FBI right to a US attorney where they can present it to a grand jury. If you properly prepare your case , you can also ask your Conresssman to enquire why the ocr failed to follow the law and take action.
    This is real people, just another scam the government and our politicians have pulled over our eyes once again.
    The facts of my clain are public domain and can be verified by anyone thanks to the Fredoom of Information Act.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!