Five Former Methodist Hospital Employees Charged with HIPAA Violations
Thursday, November 10, 2022
Five Former Methodist Hospital Employees Charged with HIPAA Violations
Memphis, TN – A
federal grand jury has indicted five former Methodist Hospital
Employees for conspiring with Roderick Harvey, 40, to unlawfully
disclose patient information in violation of the Health Insurance
Portability and Accountability Act of 1996, commonly known as “HIPAA.”
United States Attorney Kevin G. Ritz announced the indictment today.
HIPAA was enacted by Congress in 1996 to create national standards to
protect sensitive patient information from being disclosed without a
patient’s knowledge or consent. HIPAA’s provisions make it a crime to
disclose patient information, or to obtain patient information with the
intent to sell, transfer or use such information for personal gain.
According to the indictment, between November 2017 and December 2020,
Harvey paid Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 30,
Melanie Russell, 41, and Adrianna Taber, 26, to provide him with names
and phone numbers of Methodist patients who had been involved in motor
vehicle accidents. After obtaining the information, Harvey sold the
information to third persons including personal injury attorneys and
chiropractors.
The conspiracy charge carries a maximum penalty of five years
imprisonment, a fine of $250,000 and three-year period of supervised
release.
Harvey was also charged with seven counts of obtaining patient
information with the intent to sell it for financial gain on various
dates between November 12, 2017, and September 7, 2019. Each of those
charges carries a maximum penalty of 10 years’ imprisonment, a fine of
$250,000 and three years’ of supervised release.
Dandridge, Taylor, Thompson, Russell, and Taber were each charged
with separate violations of disclosing the information to Harvey in
violation of HIPAA. That charge carries a maximum penalty of one year
imprisonment, a $50,000 fine and a one-year period of supervised
release.
This case was investigated by the Federal Bureau of Investigation and the Tennessee Bureau of Investigation.
United States Attorney Kevin Ritz thanked Assistant United States Attorney Carroll L. André III, who is prosecuting the case.
The charges and allegations in the indictment are merely
accusations, and the defendants are presumed innocent unless and until
proven guilty.
| National Pharmacy Chain Extends Protections for PHI on Insurance Cards Covered Entity: Pharmacies Issue: Impermissible Uses and Disclosures; Safeguards A pharmacy employee placed a customer's insurance card in another customer's prescription bag. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. The revised policies are applicable to all individual ...read more |
| Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Covered Entity: Private Practice Issue: Access A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To ...read more |
| Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI? This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded. Yes. When an individual requests access to her PHI and the covered entity intends to charge the ...read more |
| Issued by: Office for Civil Rights (OCR) Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Answer: Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that ...read more |
|
July 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54) January 2025 (1)
Blog Labels
BAA (4) Data Breach (1) HIPAA Enforcement (3) EHR Fraud (1) HIPAA (2) Covered Entity (40) PPP Fraud (1) ePHI (2) Telehealth (1)
|