Patient records at a Little Rock plastic surgery clinic have been allegedly downloaded by a former employee without the clinic’s or patients’ consent.
Little Rock Plastic Surgery, operated by Dr. Michael Spann, has announced that a nurse formerly employed by the clinic downloaded “reports, images and other information containing Protected Health Information (PHI).”
According to a release from the clinic, the downloads were discovered around July 15, 2019. After investigating the downloads, the nurse was terminated from the clinic. Notices about the downloads were distributed by mail to patients on Sept. 13.
The former employee allegedly was attempting to use the patient records to lure patients away from Little Rock Plastic Surgery. Patients have reportedly told the clinic that the former employee had contacted them to reschedule appointment at a different location.
The former employee has not been identified.
Clinic officials say that the former employee still has patient information and that the Arkansas State Board of Nursing and the Arkansas Attorney General’s office has been contacted. “We contacted the nurse on several occasions and requested all patient information be returned immediately. To date, she refuses to comply with such request,” a clinic press release reads.
Using Protected Health Information is likely a violation of the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, health care workers are able to use patient health information to determine care and coordinate services. Health information can also be shared to government agencies providing benefits, to law enforcement (subject to court order or as required by law) and for other causes.
According to the HIPAA Journal, there are four tiers of HIPAA violations, ranging from Tier 1 to Tier 4. Tier 1 is an unknowing violation, and a health care professional exercising due diligence would not have been aware of a violation. A Tier 2 violation is one in which there is “reasonable cause” that a professional should have known about the violation. A Tier 3 violation is a “willful neglect” in which the violation is corrected within 30 days of the discovery. A Tier 4 violation is one made with “willful neglect” with “no effort made to correct the violation within 30 days of discovery.”
The HIPAA Journal lists a range of fines from $100-$50,000 per violation in Tier 1 to $50,000 per violation in Tier 4. For the Tier 1 violation, there is a maximum penalty of $25,000 per year; for Tier 2, a maximum of $100,000 per year; for Tier 3, a maximum of $250,000 per year; and for Tier 4, a maximum of $1.5 million per year.
Criminal charges are also possible. There is a maximum jail sentence of 10 years if protected health care information is “stolen with the intent to sell, transfer or use for personal gain, commercial advantage or malicious harm,” according to the HIPAA Journal.
Arkansas Money & Politics has reached out to Spann for comment.
Read the full letter from Little Rock Plastic Surgery below: