A recent action by the Connecticut Medical Examining Board (a unit of that state's Department of Public Health) should serve to remind covered entities and business associates that it is not only the federal government that can act to enforce HIPAA's privacy requirements. In a consent order dated the 21st of March, but officially accepted in mid-June, Dr. Gerald Micalizzi accepted a $20,000 fine, six months probation, and additional education requirements for inappropriately accessing the records of patients at Connecticut's Griffin Hospital.
Dr. Micalizzi, an interventional radiologist, worked for a company contracted by the hospital to provide radiology services. His position at the hospital was terminated, along with his access to the hospital's electronic record system, as of February 3, 2010. From February 4 through March 5, 2010, however, Dr. Micalizzi used the system credentials of another physician (who was unaware his credentials were being used) to access nearly 1000 patient records. He downloaded information belonging to 339 of these patients, and contacted them personally to inform them that he would be providing radiology services at another facility.
Please see full publication below for more information.