Tuesday, December 4, 2012

Criminal Action Taken Against Vermont Ultrasound Technologist for Accessing Records Without Authorization


The Rutland Herald of Vermont, reports that Kathy Tatro was sentenced in a Bennington, Vermont criminal court on Friday, November 23, 2012, to a suspended jail term of 6 to 12 months, 2 years of probation, 160 hours of community service, a $2,000 fine, and ordered to write a letter of apology to Catherine Taylor, the victim of Ms. Tatro’s persistent snooping.

The unlawful acts began 12 years ago, when Ms. Tatro was employed by Southwestern Vermont Medical Center (SVMC). Ms. Taylor was also employed by the SVMC as a registered nurse. Ms. Tatro and Ms. Taylor also had a personal relationship – Ms. Tatro was married to Ms. Taylor’s ex-husband and was responsible for raising, at least on a part-time basis, the children of Ms. Taylor and Mr. Tatro. Over the 12 year period, Ms. Tatro looked at Ms. Taylor’s medical records, and those of her children, over 200 times. Upon discovery, the ACLU of Vermont reports that Ms. Taylor complained to various parties including, the Office of Civil Rights (OCR), the Licensing and Protection Division of the Vermont Agency of Human Services, the FBI, Bennington Police Department, Senator Richard Sears, D-Bennington, SVMC’s Chairman of the Board, and the ACLU. It is not clear from the reports what finally prompted action, but Ms. Tatro was arraigned in February 2011 on a felony charge of identity theft and 10 misdemeanor charges of unauthorized access to computer records. According to the Rutland Herald, when asked during her sentencing why she looked at Ms. Taylor’s record, Ms. Tatro said that it was “morbid curiosity that caused her to look at Taylor’s records.”

According to the ACLU, OCR investigated the report and substantiated Ms. Taylor’s report that her records were improperly accessed without authorization. OCR did not fine SVMC but rather entered into a Corrective Action Plan. Although the details of the Corrective Action Plan have not been released, such plans typically require implementation of more robust security and privacy procedures as well as heightened levels of training of employees.

Based on recent OCR activities, it appears that the investigation of SVMC took place prior to the passage of HITECH because, since the passage of HITECH, similar incidents have led to OCR issuing large fines against employers (rather than just a Corrective Action Plan). In July 2011, for example, OCR fined the University of California at Los Angeles Health System $865,500 for violations for the HIPAA Privacy and Security Rules, when “OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.” In reporting the OCR action, Director Verdugo said, “Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity.” Thus, given the increase in enforcement activities, the hospital would have also likely reacted more quickly than it did as indicated by reports.

Interestingly, the Rutland Herald reports that, “Tatro apologized to Taylor but also said she felt harassed and wondered ‘if I were not the ex-husband’s wife, if this would have gone as far.’” Ms. Taylor also felt harassed, testifying that, Ms. Tatro “looked at my X-rays, my mammograms, my radiology reports, my labs, microbiology, emergency room visits. Anything in my file. She monitored me for years without me knowing it. …I’ll never know what information she shared about my personal sacred records whether it be with my ex-husband or her friends.”