Under HIPAA, covered entities (CEs) are responsible for ensuring that their patients’ protected health information (PHI) is safe and secure. But sometimes staff don’t know the rules and seek access to information out of curiosity or even malice. A recent case highlights why poking into medical records is a bad idea. Background: Last month, Linda Sue Kalina pled guilty to the wrongful disclosure of two patients’ PHI, indicates a Department of Justice (DOJ) release. Between March 2016 and June 2017, Kalina worked as the University of Pittsburgh Medical Center (UPMC) patient information coordinator. During that time period, she also worked at its Mars, Pennsylvania-affiliate, Tri Rivers Musculoskeletal Centers (TRMC), where she improperly accessed 111 UPMC patients PHI. It gets worse. “On August 11, 2017, Kalina unlawfully disclosed personal gynecological health information related to two such patients, with the intent to cause those individuals embarrassment and mental distress,” the DOJ stresses. These two particular patients had previously worked with Kalina at a different company. According to the federal report, the seriousness of the crime dictates the sentencing. The total sentence may include up to 10 years in prison and/or a fine of $250,000. Kalina’s sentencing date is June 25. Read the DOJ release at www.justice.gov/usao-wdpa/pr/former-patient-coordinator-pleads-guilty-wrongfully-disclosing-health-information-cause.