On January 18, 2013, a federal district judge sentenced Dale Monroe II to 12 months and one day in federal prison for having sold thousands of records of patient information that he had improperly accessed. The judge also sentenced him to a two-year term of supervised release.

Monroe, who had worked as the emergency department registration clerk at Florida Hospital Celebration, had improperly accessed 760,000 electronic health records and had sold information about 16,000 accident victim patients to a co-conspirator in order to solicit legal and chiropractic business.

Two co-conspirators have pled guilty and are awaiting sentencing. One co-conspirator faces 45 years imprisonment, and the other faces five years.

Covered entities and business associates must take steps to restrict access only to those with a “need to know” and must continually audit access and disclosure, must update their risk analyses, and must implement, update, and enforce their policies. If Florida Hospital Celebration did not do so, it may face HIPAA’s civil and criminal liability itself.

This conviction, the new Omnibus Rule, and recent questions from my HIPAA seminar attendees and our EMR Legal HIPAA consulting clients have caused me to write yet another book. The working title for this one is “HIPAA Policies and Procedures.” Stay tuned for information about when the book and the accompanying CD will be available for you to buy.