It seems there are more and more stories related to patient privacy and HIPAA popping up lately. Today another story caught my eye related to them.

Joseph Nathaniel Harris, the former branch manager of the San Jose Medical Group’s McKee clinic was sentenced last Friday (10/5) to “21 months in prison and three years of supervised release. Judge Jeremy Fogel also ordered him to pay $145,154 in restitution.”
Harris pleaded guilty to stealing computer equipment and a DVD containing “patients’ names, Social Security numbers, medical diagnoses and other information.”
He reportedly also stole money and medications from the clinic, and is suspected of burglerizing the area clinics after he left his job as manager.
What is interesting is that, before he was hired as manager of the clinic, he had been

“fired from a 2003 job at the Silicon Valley Children’s Fund for conducting personal business, including selling computers on Craigslist, on company time. After he was fired from that job, there was a burglary at the Children’s Fund offices and two computers were stolen.”

HIPAA was not mentioned in as a consideration in the charges or sentencing, but prison time is one of the possible sanctions under HIPAA.
* Organizations must be aware of the insider threat and address it with procedures, training and awareness. Background checks for positions with authorized access to sensitive information should be done if possible. Personnel should be told how to spot red flags of coworkers who may be doing bad things, and they should know how to report them.
* It will be interesting to see if the Department of Health and Human Services pursues doing an audit within the clinic to identify HIPAA violations. Considering the extent of Harris’ criminal actions it looks as though the privacy and security safeguards required by HIPAA were far from being followed.

Tags: awareness and training, HHS, HIPAA, Information Security, IT compliance, Johseph Nathaniel Harris, McKee Clinic, patient privacy, PHI, policies and procedures, privacy, privacy rule, San Jose Medical Group, security rule

This entry was posted on Thursday, October 11th, 2007 at 6:45 pm and is filed under Information Security, Laws & Regulations, Non-compliance Sanctions Examples, Privacy and Compliance, Privacy Incidents. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.