Live Chat | Login | Blog | Careers

emPower eLearning: January 2013

emPower eLearning

Wednesday, January 30, 2013

Former Florida hospital employee sentenced to federal prison for data theft

ORLANDO—U.S. District Judge Roy B. Dalton, Jr. today sentenced Dale Munroe, II (35, Winter Haven) to 12 months and one day in federal prison for his role in stealing the information of Florida Hospital patients. As part of his sentence, Munroe was also ordered to serve a two-year term of supervised release. Munroe pleaded guilty on October 22, 2012.

According to court documents, Munroe was hired at the Celebration, Florida location of Florida Hospital in July 2006. During his employment, he worked as a registration representative in the Emergency Department, where he would register patients as they came in the main emergency entrance. From January 2009, until his termination in July 2011, Munroe used his position to obtain individually identifiable health information of patients of Florida Hospital who had been involved in motor vehicle accidents. Munroe would then disclose that information to Sergei Kusyakov, who was involved in the operation of two chiropractic clinics (Metro Chiropractic and Wellness Center and City Lights Medical Center). Kuskyakov and other conspirators would then use the stolen information to solicit Florida Hospital patients for chiropractic and legal services. Kusyakov would pay Munroe for his role in providing the stolen information. On July 12, 2011, Munroe was terminated by Florida Hospital for a patient data breach that was unrelated to the conspiracy described above.

Approximately a week after his termination, Katrina Munroe (30, Winter Haven), Munroe’s wife and also an employee of Florida Hospital, was recruited by the conspirators to take over the role of stealing patient data and providing it to Kusyakov. In August 2012, Katrina Munroe was terminated from her position at the hospital, after becoming a suspect in a data breach incident. In December 2012, she pleaded guilty to her role in the conspiracy. She faces a maximum penalty of five years in federal prison. Her sentencing hearing has been set for March 11, 2013.

On January 7, 2013, Sergei Kusyakov (38, Davenport) pleaded guilty to one count of conspiracy and four counts of wrongful disclosure of individually identifiable health information. He faces a maximum penalty of 45 years in federal prison. His sentencing hearing has been set for March 25, 2013.

These cases were investigated by the Federal Bureau of Investigation and the Florida Department of Financial Services, Division of Insurance Fraud. They are being prosecuted by Assistant United States Attorney Roger B. Handberg.


Monday, January 28, 2013

HIPAA final rule out in Federal Register

A pre-publication version of the much anticipated final Omnibus Health Insurance Portability and Accountability Act (HIPAA) rule (the Final Rule) was issued January 17, 2013 with publication in the Federal Register scheduled for January 25, 2013. While the Final Rule becomes effective March 26, 2013, covered entities and business associates have until September 23, 2013, to comply and, in the case of existing business associate agreements, covered entities have until September 2014 to make changes. The full breadth of the nearly 600-page rule will take some time to fully analyze. As we continue to analyze the complex regulations, however, here are a few highlights:
  • Probably the most significant change in the Final Rule is a modification to the determination of what is a reportable breach. The Final Rule removes the risk of significant harm standard, which, in the interim final rule, limited breach notification obligations to breaches that a covered entity determined to pose a significant, financial, reputational or other harm to individuals affected by the breach. The Final Rule replaced the risk of significant harm standard with the provision that "an impermissible use or disclosure of protected health information ("PHI") is presumed to be a breach unless the covered entity or business associate ... demonstrates that there is a low probability that the PHI has been compromised." In other words, the Final Rule now requires a covered entity to notify individuals about a breach unless it can demonstrate a low probability that PHI has been compromised. This presumption that all impermissible use of PHI is a breach is a significant departure from the risk of significant harm standard.
  • The Final Rule and Business Associates. As required by the Health Information Technology and Clinical Health Act (HITECH), the Final Rule extends Privacy and Security compliance obligations to business associates, and it defines business associates to include subcontractors of business associates whose work involves protected health information. To the disappointment of many in the industry, there is no new model language for business associate agreements.
  • The Final Rule strengthens HIPAA enforcement. As required by HITECH, the Final Rule increased civil monetary penalties and caps them at an annual $1.5 million, up from $25,000. (Note: in a previous Alert, which can be found here, we illustrated OCR's enforcement ability under HITECH.)
  • The Privacy Rule is amended as mandated in the Genetic Information Nondiscrimination Act (GINA): The Final Rule, as required in GINA, prevents covered entitles from disclosing or otherwise using an individual's genetic information for underwriting purposes.
  • The HIPAA mega rule has been published in the Federal Register today — this one you can search by links, and this one is in the three-column PDF format.

Labels: , , , , ,