A 39-month prison sentence was handed down Feb. 1 for an Alabama woman who had pleaded guilty to stealing more than 4,000 patient records from a Birmingham hospital.
A federal district court sentenced Chelsea Catherine Stewart to 15 months for wrongfully obtaining individual health information in violation of HIPAA, along with an unrelated bank fraud attempt — as well as 24 months for aggravated identity theft related to the bank fraud.
The HIPAA conviction was unusual in that Stewart was neither a HIPAA-covered entity nor the employee of one. She took hundreds of pages of records from Trinity Medical Center between March 22 and April 8, 2011, prosecutors had alleged, while an “associate” of hers was a patient there.
The records were surgery schedules that included patient names, birth dates, SSNs and some medical information on the scheduled procedure, and were taken from a closed patient registration area, the hospital indicated at the time. They were found when police investigating a separate case searched Stewart’s residence.
Stewart “could have wreaked financial havoc for untold numbers of individuals through her theft of identifying information on thousands of hospital patients,” said local U.S. Attorney Joyce White Vance.
The HITECH Act clarified that individuals who are not themselves HIPAA-covered entities still may be criminally prosecuted for wrongfully disclosing or obtaining a covered entity’s “individually identifiable health information” without authorization.
HIPAA civil and criminal enforcement is covered in the Employer’s Guide to HIPAA and Employer’s Guide to HIPAA Privacy Requirements.