A Pittsburgh area woman, Linda Sue Kalina, is facing substantial fines and prison time after pleading guilty to charges of wrongfully obtaining and purposely disclosing protected health information (PHI).
Ms. Kalina was an employee of two different affiliates of University of Pittsburgh Medical Center (UPMC) from 2016 – 2017. Prior to joining UPMC, she worked for over twenty years as an office manager at a nearby construction company until she was fired. The PHI she disclosed pertained to employees of that construction company, and the incident was discovered when the construction company reported the disclosure to UPMC.
The wrongful disclosure of PHI is addressed under HIPAA criminal statute 42 U.S. Code § 1320d–6. Wrongful disclosure of individually identifiable health information. Penalties are divided into three tiers:
Ms. Kalina’s actions meet the malicious harm threshold; therefore, she could be sentenced to up to 10 years in jail and face a fine of up to $500,000. She is due to be sentenced this June.
It is unclear at this time if UPMC will also face penalties for this incident. The healthcare provider is required to have policies and procedures in place, and to train employees regarding the proper use and disclosure of health information. UPMC is also responsible for limiting user access to PHI to only that necessary to perform one’s job, and to audit system activity to detect abnormal activity. Whether Ms. Kalina’s job duties entitled her to have access to the PHI she disclosed, and whether or not her illegal actions should have been discovered by UPMC’s audit protocols, remains to be seen.