Long Island Radiologist Arrested over HIPAA Violation – HIPAA Journal
The arrest of a Long Island radiologist on Dec 3, 2014 has prompted Nassau County District Attorney, Kathleen Rice, to call for changes to the state legislation to bring in stiffer penalties for doctors and healthcare professionals who abuse their positions and steal confidential data from their employers.
Currently state laws do not permit criminal charges to be brought against individuals who are found to have obtained personal identification information relating to patients, in fact the current NY statutes do not even make it a crime to steal or maliciously disclose patient health information. Due to this loophole, Richard Kessler, M.D., will only be facing three misdemeanor charges for stealing the records of 97,000 patients from the Long Island medical practice where he worked. Current legislation allows him to be charged for petty larceny, unauthorized use of a computer and unlawful duplication of computer related material; charges which carry a maximum penalty of 1 year in prison if he is convicted.
The theft of Protected Health Information (PHI) is covered under federal laws, and it is therefore possible that federal charges will be brought against Kessler and possibly NRAD Medical Associates where the radiologist worked. Under federal HIPAA regulations, if it can be proven that Kessler stole the data to gain commercial advantages or for personal gain he could face a jail term of up to 10 years and a fine of $250,000 for the theft.
If the case is investigated by the Department of Health and Human Services’ Office of Civil Rights, the medical center where he worked could also be penalized and potentially could face a fine of up to $1.5 million for the HIPAA security breach if it can be demonstrated that there was a lack of appropriate security controls in place. An investigation will also look at all HIPAA compliance issues and should the center be found to have violated Privacy and Security Rules, the financial penalty ranges from £1,000 to $50,000 for each individual HIPAA violation.
The security breach was discovered in July and a breach notification was issued to all patients whose PHI had been compromised. There was no indication that Kessler used the PHI or other data he obtained for any criminal purposes such as making fraudulent claims, acquiring property or opening accounts.
The doctor is alleged to have taken a portable hard drive into the medical center between Jan 17 and April 24. He plugged in the drive and copied the NRAD database of patients, taking highly sensitive information including NRAD credit card information, marketing materials and IT information. He took approximately 97,000 patient records which included Social Security numbers, diagnosis codes, procedure codes, treatment information, dates of birth and patient contact information.
Law enforcement officers conducted a search of the doctor’s home and discovered the hard drive containing the information and it is believed that all of the stolen data has been recovered. Kessler informed law enforcement officers that he had taken the data to help him start his own practice. The case has been arraigned and will be heard by the courts on 6th January 2015.