Former hospital executive placed on probation for HIPAA violation

A former vice president at Med Center Health was placed on probation for two years and ordered to pay $140,000 in restitution after illegally disclosing health information to a business partner.

What happened

Mark Kevin Robison, a former vice president at Med Center Health, has been sentenced to two years probation and ordered to pay $140,000 in restitution for illegally disclosing the health information of thousands of patients. 

Robison pleaded guilty to wrongfully disclosing individually identifiable health information protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to another person without authorization from Commonwealth Health Corporation, now known as Med Center Health.

He had hired Randy Dobson as a patient account collection vendor, and together, they registered a corporation called OPTA, LLC in Kentucky. They developed software that they hoped to sell to healthcare companies. The illegal disclosure occurred in 2014 and 2015 when Robison shared the protected information with Randy Dobson in an effort to test OPTA software. Robison was fired when his relationship with Dobson was discovered. The charge carries a maximum penalty of five years in prison and a $100,000 fine; however, the plea agreement calls for probation and restitution payments to be made to CHC, the victim in this case.

See also: 

• How to know if you’re a business associate
• HIPAA Compliant Email: The Definitive Guide

What was said?

Robison’s plea agreement states, “Robison was fired by CHC in December 2016 when his relationship with Dobson was discovered.” This was after Delaware OPTA was integrated into OPTA Kentucky after it had been dissolved. At this point, the patients’ rights to protect their health information following the HIPAA Privacy Rule had been violated, resulting in a breach.

Robison’s penalty was five years of imprisonment and a $100,000 fine; however, the plea agreement between Robison and federal prosecutors called for him to be placed on probation and to pay restitution of $140,000 to CHC, which was identified in court records as the victim in this case. 

At the sentencing, Robison's lawyer, David Guarnieri stated that “Robison has paid half the restitution and intends to pay the remainder by the end of January.”

In the know 

HIPAA violations involve the unauthorized disclosure of protected health information, carrying significant penalties. Depending on the severity, penalties can range from fines up to $50,000 per violation to criminal charges leading to imprisonment for individuals. Civil penalties can reach $1.5 million per year for repeated violations. The severity of the penalty is determined by the level of negligence or intention behind the violation, emphasizing the importance of strict adherence to HIPAA regulations to safeguard patients' sensitive health information.

Why it matters

This case emphasizes the importance of safeguarding patient data, highlighting the legal ramifications of breaches. It reinforces the need for strong data protection measures in healthcare institutions to maintain patient trust and comply with HIPAA regulations.

The bottom line

Although Dobson was given unauthorized access to the health information, there is no proof that Dobson discussed it with anyone else or made it publicly available. 

Healthcare institutions must reinforce stringent policies and regularly educate staff on HIPAA compliance to safeguard patients' confidential information. Implementing rigorous protocols and staying updated with evolving data protection practices is essential to preventing similar incidents.

See also: Investigation reveals pharmacies release medical information to police without warrants