A woman who took confidential protected health information from a Wichita surgery center was recently sentenced to 18 months of probation. A jury in Kansas found an employee of Cypress Surgery Center guilty on all counts for sending sensitive PHI for 317 patients to her Gmail account. The employee took the protected health information during a mass forward of e-mails from her work account to her personal Gmail account moments before she was fired.
The jury's decision underlines an important point we've previously covered here: Gmail is not HIPAA compliant.
Here's more background on the case. The employee worked at the surgery center as a business manager and was fired in June 2013. Cypress Surgery Center discovered the HIPAA compliance breach in an audit shortly after. During trial, the accused said she had a feeling she might be fired. She said she was afraid of legal backlash from Cypress about an incident that involved fraudulent insurance billing. She believed forwarding the e-mails from her work account to her personal Gmail account would protect her. The surgery center houses at least 10 medical specialties, including infertility treatment. The infertility clinic was highlighted as having some of the most sensitive PHI in the case. Although in this case the emails in question were sent from a work email to Gmail, nearly everyday we hear cases of covered entities using Gmail for work purposes and sending PHI. This is a huge no-no with the U.S. Dept of Health & Human Services. In the eyes of the court system, there is now precedence for HIPAA violators to also face probation. Is jail time next?