Stealing of HIPAA Protected Health Information

The sentencing of Denetria Barnes, a former nursing home worker, to three years in prison for stealing and then selling HIPAA information as part of a scheme to defraud the U. S. government re-emphasizes the need for health care providers to be vigilant in developing and maintaining HIPAA policies and procedures and to maintain written plans for how to deal with HIPAA breaches.

According to a press release on the website for the United States Attorney’s Office for the Middle District of Florida, Barnes and Jakiel Bazart were selling patients’ names, dates of birth, and Social Security numbers. This information was then being used to file fraudulent tax returns.

An article in the Tampa Bay Times published on October 29, 2013, the day of sentencing for Barnes, quotes Patricia Rohani, manager at the nursing home where Barnes worked and obtained some of the stolen PHI, as saying, “[Barnes] was a nice girl, very dependable, very kind to everybody,” Rohani said. “That’s why it came like a big, big shock when I heard about it.”  (See article at:

This story should help motivate any covered entities who have not yet implemented HIPAA policies and procedures and training programs to do so immediately, especially as it is required under 42 CFR 164.530 for all covered entities to train employees on policies and procedures related to protected health information and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. For those with HIPAA programs, they should ensure the policies are up to date and employees have received training on the policies.

The federal government takes HIPAA violations very seriously as evidenced by the prosecution of Barnes and Bazart.  The passage of the HITECH Act provisions which ensured that business associates, not just covered entities, could be criminally prosecuted under HIPAA served as notice that the federal government is cracking down on breaches of protected health information.  According to the Office of Civil Rights (OCR), as of August 31, 2013 over 518 cases involving the knowing disclosure or obtaining of PHI in violation of HIPAA were referred to the Department of Justice for criminal investigation.  OCR itself investigated and “resolved” 21,271 cases as of August 31, 2013.

Speak Your Mind