Three Arkansas health workers plead guilty to HIPAA violations
Jay Holland, MD, of Little Rock, Ark., Sarah Elizabeth Miller of England, Ark., and Candida Griffin of Little Rock, have pled guilty to HIPAA violation charges, according to the U.S. Attorney for the Eastern District of Arkansas, Jane W. Duke.

Each pled to a misdemeanor violation of HIPAA health information privacy provisions, based on their accessing a patient's record without any legitimate purpose. The pleas were accepted by U.S. Magistrate Judge Henry L. Jones, Jr.

Holland, medical director of Select Specialty Hospital within St. Vincent Infirmary Medical Center (SVIMC) in Little Rock, admitted that after watching television news reports, he accessed a patient's files from his home computer to determine if the reports were accurate.

He admitted it was inappropriate to view the file and said he accessed the file out of curiosity. Holland had received HIPAA training and said he understood that he violated HIPAA in his actions. SVIMC suspended Holland's privileges for two weeks and required him to complete online HIPAA training.

Sarah Elizabeth Miller, formerly an account representative at SVIMC, was responsible for admitting and discharging patients in the clinic and for processing patient billing. To perform her duties, she had access to all SVIMC patient records. On Oct. 20 and 21, 2008, she accessed a patient's files approximately 12 times out of curiosity. She admitted that she accessed the records "without any legitimate purpose." Records show that Miller was trained on HIPAA privacy laws by SVIMC. SVIMC fired Miller from her position.

Candida Griffin was the emergency room coordinator at SVIMC, and her responsibilities were primarily administrative--ordering patient tests and performing data entry for the emergency room. On Oct. 20, 2008, she was told by the charge nurse to set up an alias for a particular patient admitted to the emergency room.

On Oct. 21, 2008, after the patient had been moved to ICU, Griffin admitted that she became curious about the patient's status and accessed the medical chart out of curiosity. Griffin did not inform anyone about accessing the chart; however, hospital records show that the patient's records were accessed three times that day by Griffin. SVIMC records show that Griffin was trained on HIPAA privacy laws. SVIMC fired Griffin from her position.

Pursuant to plea agreements, Holland, Miller and Griffin pled guilty to a misdemeanor violation of HIPAA health information privacy provisions, based on their accessing a patient's record without a legitimate purpose.

Each faces a maximum penalty of one-year imprisonment, a fine of not more than $50,000, or both. A sentencing date has not yet been set, but it is anticipated to be within the next 45-60 days, according to Thomas J. Browne, special-agent-in-charge of the Little Rock Division of the FBI.