Getty Images

Ex-Methodist Staff Plead Guilty to Illegal PHI Exposure in HIPAA Violation Case

Several ex-Methodist Hospital workers admitted to violating HIPAA regulations by unlawfully exposing PHI of motor vehicle accident victims to third parties, such as injury lawyers and chiropractors.

Six individuals, including five former Methodist Hospital employees, face sentencing for HIPAA violations after pleading guilty to the unauthorized disclosure of personal health information (PHI) involving motor vehicle accident victims. 

Roderick Harvey, 41, from Memphis, approached the ex-Methodist Hospital employees to provide names and phone numbers of patients involved in motor vehicle accidents, the Department of Justice (DOJ) stated. 

From November 2017 to January 2020, ex-Methodist Hospital employees Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 31, Melanie Russell, 41, and Adrianna Taber, 26, supplied patient information to Harvey in exchange for compensation.  

Upon obtaining the PHI of car accident patients, Harvey sold it to third parties, including personal injury lawyers and chiropractors. 

"HIPAA was enacted by Congress in 1996 to create national standards to protect sensitive patient information from being disclosed without a patient's knowledge or consent," the press release from the Department of Justice stated. "HIPAA's provisions make it a crime to disclose patient information, or to obtain patient information with the intent to sell, transfer or use such information for personal gain." 

HHS's Office for Civil Rights (OCR) typically enforces the HIPAA Privacy and Security rules by investigating complaints and conducting compliance reviews. If OCR finds a person committed a civil violation, it may impose civil money penalties.  

Dandridge, Taylor, Taber, Thompson, and Russell have already pleaded guilty to unlawful PHI disclosure with Harvey, breaching HIPAA regulations. According to the DOJ, each violation is punishable by a maximum of one year in prison, a fine of $50,000, and a year of supervised release. 

On April 21, 2023, Harvey pleaded guilty before United States District Judge Thomas L. Parker for conspiring with Dandridge, Taylor, Taber, Thompson, and Russell to violate HIPAA regulations. Harvey could face a maximum sentence of five years in prison, a fine of $250,000, and three years of supervised release if found guilty. Harvey's sentencing is scheduled for August 1, 2023. 

Next Steps

Dig Deeper on HIPAA compliance and regulation