Unauthorized Medical Record Access and Disclosure Results in 1 Year Jail Term

The penalties for HIPAA violations are usually restricted to fines for the covered entity or business associate discovered to have violated HIPAA however, in certain cases, investigations into alleged HIPAA violations can result in criminal penalties for the individuals concerned.

Criminal penalties for HIPAA violations are handled by the Department of Justice and are relatively rare. Criminal penalties for HIPAA violations are usually pursued when protected health information (PHI) has been stolen and used to cause malicious harm, such as identity theft.

The latest case involves a former patient care coordinator who was discovered to have accessed the PHI of 111 patients without authorization or any legitimate work reason for doing so.

Sue Kalina, 62, of Butler, PA, took the position of patient care coordinator at University of Pittsburgh Medical Center (UPMC) Tri Rivers Musculoskeletal after she was terminated by Frank J. Zottola Construction, where she had worked as office manager. Kalina worked at the construction firm for 24 years but was dismissed in 2016. The position of office manager was filled by a younger woman.

Unhappy about her termination, Kalina abused her PHI access rights and viewed the medical records of the woman who had replaced her at the construction firm. She subsequently disclosed some of the woman’s gynecological health information to the Zottola Construction controller in June 2017. Kalina also left a voicemail message at the firm in which she also disclosed gynecological information from the woman’s medical record.

Zottola filed a complaint with UPMC about the disclosures. The investigation revealed Kalina had first accessed patient records without authorization on March 30, 2016 and continued to do so until June 15, 2017. In total, the records of 111 individuals were accessed.

Kalina was terminated and took on the position of patient care coordinator at Allegheny Health Network, where she is alleged to have accessed further patient records.

Kalina claimed she was unaware that she was not permitted to access patient records and did not believe she was breaking the law. The prosecutors said the ignorance claim was a ‘complete farce’ as Kalina had been provided with training on HIPAA at UPMC and should have been well aware that accessing patient records without authorization was a violation of HIPAA.

The prosecutors were seeking a jail term of between 6 and 12 months for the offenses. U.S. District Judge Arthur Schwab opted for a sentence at the upper end of the scale due to the egregious nature of the HIPAA violations and sentenced Kalina to 12 months in jail with 3 years of probation. Kalina has also been prohibited from contacting any of the 111 individuals whose PHI she accessed.