David was hired as a medical coder and biller for a family medicine departmental clinic owned by a large hospital entity. During downtime, he decided to search the database for people he knew, such as friends, neighbors, coworkers, and other acquaintances. If he found a record, he would pull it up and read the medical record information and sometimes jot down contact information and personal identifiers. He then used this information to market his side business as a DJ, sending advertising to the patients' addresses. The informational services (IS) department discovered this activity and notified the manager of the department to investigate further. David denied accessing the files, but the tracking report from IS proved otherwise, as David's activity in the billing system was minimal compared to his clinical access. In this case, what might be the ramifications of David's actions?

(A) Termination of employment and possible fines to the organization due to the nature of the Health Insurance Portability and Accountability Act (HIPAA) violation
(B)Termination of employment, reporting of the incident to the compliance department, notification to all patients that their B information may have been compromised, possible fines to the organization, and possible jail time for David due to the nature of the HIPAA violation
(C) Written disciplinary action for David though he could maintain his job with the organization
(D) Termination of employment, reporting of the incident to the compliance department, and a notification to all patients that their information may have been compromised