When HIPAA Becomes Criminal

By Mike Semel

Former Hospital Employees Accused of Selling Patient Information

Five former employees of Methodist Hospital in Memphis, TN, including a recently-licensed Registered Nurse, were indicted by a federal grand jury for allegedly selling medical information about car accident victims to personal injury attorneys and chiropractors. The hospital may be penalized for its HIPAA compliance based on the investigation caused by the alleged illegal activities of its rogue employees.

Roderick Harvey, 40, was charged with conspiracy and multiple counts of obtaining patient information with intent to sell it for financial gain. Harvey allegedly received patient information from Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 30, Melanie Russell, 41, and Adrianna Taber, 26, who were all charged with violating HIPAA. Harvey could receive up to 70 years in prison, pay a fine of $1.75 million, plus supervised release. Dandridge, Taylor, Thompson, Russell, and Taber each face a maximum penalty of one year imprisonment, a $50,000 fine and a one-year period of supervised release. According to the Tennessee Board of Nursing website, Taylor was recently licensed as a Registered Nurse, and could lose her license if convicted. 

Most HIPAA violations result in civil penalties against organizations for not adequately protecting patient information or by violating a patient’s right to access their medical records. HIPAA becomes criminal when someone violates HIPAA for personal gain (usually financial) or to harm a patient.

Because this took place at Methodist Hospital in Memphis, the healthcare provider will be investigated for its HIPAA compliance, and not just the parts of HIPAA specific to the alleged crime. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that enforces HIPAA will send a letter to the hospital demanding evidence of its compliance with all the HIPAA Rules – the Privacy Rule, Breach Notification Rule, and Security Rule. It will require that the hospital provide its ‘accurate and thorough’ HIPAA Security Risk Analysis (SRA) and evidence that it has remediated its identified cybersecurity risks. The hospital’s entire HIPAA program will be scrutinized because of an alleged crime related to part of the HIPAA Privacy Rule.

Since the requirement for HIPAA privacy training took effect 20 years ago, many organizations now treat it just as a checklist item – often part of a series of once-a-year ‘get-out-of-the-way’ training videos and quizzes that include OSHA safety, fraud and abuse, and sexual harassment. Then, nothing until next years’ training comes around.

Want to really protect your organization, your employees, and the people you serve?


Stories are more interesting and memorable than a boring review of rules and policies. Use your training time and staff meetings to tell stories about real healthcare employees that suffered after they committed HIPAA violations.

Share this story with your staff so they understand they are putting their careers and their freedom at risk if they share patient information.

Also share the stories about:

  1. The nurse who was suspended for taking a patient list to her new employer.
  2. The nurse who was fired for posting patient pictures online, and the home healthcare worker that was fired for a HIPAA violation.
  3. The doctor that was jailed for snooping in patient records.

“Dr. H began idling away his remaining days at the health system by looking at patient records for entertainment. The day he was notified of his termination, he accessed the first one – his immediate supervisor. Over the next few weeks, Dr. H browsed the medical records of many of his colleagues. He also viewed the records of the health-system’s many high-profile patients, including well-known movie stars, television personalities, and people in public office. Dr. H never shared the information he saw in the records. He didn’t talk about it with his wife, or try to sell the information about the celebrity patients to the tabloids. He knew he shouldn’t be looking at records of patients who were not his, but believed that as long as he didn’t share the information he gained, it wasn’t a problem. Thus, he didn’t believe that he had committed a federal offense.” EMPR.COM

Making HIPAA real and interesting could prevent HIPAA from becoming very real and very interesting - like when authorities are investigating your employees and your organization after an alleged HIPAA crime.


MIKE SEMEL  |  www.SemelConsulting.com

CMMC-AB Registered Practitioner  |  CompTIA Security Trustmark Coach  |  Certified Security Compliance Specialist
Certified Business Continuity Professional  |  Certified Health IT Consultant  |  Certified HIPAA Security Professional
Certified HIPAA Administrator  |  Certified HIPAA Professional