A man from Georgia falsely accused a former acquaintance of breaking HIPAA rules by violating patient privacy. He was later sentenced to serve 6 months in jail and pay a fine of $1,200 for fabricating evidence.
Jeffrey Parker, a 44-year-old resident of Rincon, GA, made himself out to be a HIPAA whistleblower last October 2019 by reporting a nurse working at a hospital in Savannah, GA for allegedly committing grave privacy violations. He accused the nurse of, among other things, internally and externally emailing graphic pictures of hospital patients’ traumatic injuries.
Court documents describe Parker as having “engaged in an intricate scheme” to implicate a former acquaintance in the crime of breaching the Federal Health Insurance Portability and Accountability Act’s Privacy Rule.
HIPAA’s privacy rule establishes the national standards for safeguarding a patient’s Protected Health Information (PHI). It works to limit the circumstances in which a patient’s information, including medical histories, may be disclosed by healthcare organizations to others. Parker claimed this rule was violated by the nurse in sending out patients’ PHI related to the individual’s past, present, or future medical condition.
Parker initiated his scheme by creating fake email accounts to send accusations of privacy violations against the nurse to the Savannah hospital in question, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ).
"Parker created email addresses using the names of real individuals and pretended to be these individuals to make it appear as if the acquaintance committed a crime," prosecutors say.
"He sent the emails to the hospital where the acquaintance worked, to the DOJ, and to the FBI, and then claimed to have received threatening messages in retaliation for acting as a whistleblower. FBI agents quickly responded by acting to ensure Parker’s safety and investigate his allegations, and under subsequent questioning, Parker admitted concocting the scheme in an attempt to harm the former acquaintance."
Parker furthered the allegations by saying he had received threats for coming out with the truth. Law authorities then took the necessary steps to afford him safety and protection. However, when Parker was further questioned on these different allegations the FBI agent conducting the questioning was able to pick out gaps and irregularities in his story.
Chris Hacker, special agent in charge of the FBI Atlanta, shared: “Many hours of investigation and resources were wasted determining that Parker's whistleblower complaints were fake, meant to do harm to another citizen. Before he could do more damage, his elaborate scheme was uncovered by a perceptive agent and now he will serve time for his deliberate transgression.”
Ultimately, Parker confessed and pleaded guilty to making false accusations against his former acquaintance. He faced a potential 5-year term but was eventually sentenced by U.S. District Court Judge Lisa Godbey Wood to serve 6 months in jail.
“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations. This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community,” stated U.S. Attorney Bobby L. Christine upon Parker’s indictment.
Parker was determined ineligible for parole and must carry out the full sentence with 3 years of supervised release upon completion.
Independent HIPAA attorney Paul Hales noted on the case: “Key takeaways are the FBI’s speed in investigating the defendant’s claim that someone committed a HIPAA crime and the Department of Justice’s commitment to HIPAA criminal enforcement. The case stems from the defendant’s alleged attempt to cause trouble for a former acquaintance. But he left an electronic trail leading right back to him - and there is always an electronic trail.”
HIPAA violations such as those implicated in the aforementioned case may result in fines up to $1.5 million and 10 years in jail, making HIPAA compliance integral for any healthcare organization.
HIPAA compliance refers to the fulfillment and satisfaction of HIPAA’s regulatory standards. This means organizations should have the physical, network, and process security measures in place to handle PHI.
Aside from medical histories, PHI includes any data that may be used to identify a patient such as their insurance information, demographic data, test results, and the like.
HIPAA regulations consist of several rules aimed at protecting patient privacy. Significant rules include HIPAA’s Privacy Rule and Security Rule.
The latter establishes national standards for safeguarding electronic PHI (ePHI). This provides for the secure maintenance, transmissions, and handling of ePHI, including physical, administrative, and technical safeguards. These safeguards include:
OSHA regulations are involved in HIPAA compliance as well when it comes to handling PHI. OSHA’s recordkeeping requirements mandate certain illnesses or injuries to be recorded or reported if work-related. When circumstances or exposure in the workplace caused or contributed to the development of a condition or negatively affected a pre-existing condition it is considered a work-related illness or injury.
OSHA employee training aids employees in being able to identify these circumstances and appropriately respond.
“Situation, Background, Assessment, Recommendations” or SBAR is a technique used by healthcare professionals to refine communication within a healthcare team. It is essentially the best practice for nurses, doctors, and the like to convey medical information about a patient in such a way that guarantees confidentiality.
SBAR is used in the following way: