HIPAA Horror Stories

Violating HIPAA Could Land You in Jail

one-minute read

Running a physician practice is hard work, fast-paced and stressful. But accepting help from a pharmaceutical company to streamline prescription authorizations is not worth the risk. HIPAA carries criminal penalties if covered entities intentionally disclose protected health information.

Dr. Rita Luthra was a gynecologist in the Boston area who knowingly allowed a pharmaceutical sales representative to access her patients’ protected health information (PHI). Many insurance companies required prior clearance to cover the osteoporosis drug Atelvia. Because Atelvia was more expensive than a generic alternative, insurance companies often asked the prescribing physician to complete a form explaining why a patient needed it. Without the prior clearance, insurance plans would not pay for the prescription. The drug company benefited from helping Dr. Luthra to write more prescriptions and she benefited by receiving payments for education and research for the drug company. (The drug company, Warner Chilcott, paid $125 million to settle civil and criminal penalties in relation to health care fraud and HIPAA violations.)

Dr. Luthra was convicted of aiding and abetting the wrongful disclosure of individually identifiable health information – a crime under HIPAA. The court also found that she lied to federal investigators and told her assistant to lie, to try to avoid a HIPAA violation, but it backfired when the prosecutors learned the truth because obstructing an investigation is also a crime.

She faced a maximum sentence of one year on the first count and five years on the second. The district court later sentenced her to one year of probation instead. The court was lenient because of her many years of providing care to underprivileged women in the Boston area, some of whom were unable to pay for her services. But she lost her medical license and closed her practice.

The HIPAA Criminal Statute

Most health care providers are familiar with HIPAA, but many may not realize that violations can be punished as federal crimes. When violations are criminal in nature they are prosecuted by the Department of Justice (DOJ) rather than the Department of Health and Human Services (HHS).

It is illegal to knowingly “use or cause to be used a unique health identifier,” obtain individually identifiable health information, or disclose such information to another person. A person illegally “obtains” or “discloses” information if it is maintained by a HIPAA covered entity and the person obtains or discloses it without authorization from the patient. In Dr. Luthra’s case, she knowingly gave access to her patients’ PHI to the pharmaceutical sales rep without her patients’ authorization. The crime carried a possible penalty of one year in jail.

Avoid HIPAA Prosecution, Fines and Jail

To avoid investigations by HHS for civil penalties, and prosecution by the DOJ for criminal penalties, all business associates and covered entities should:

  1. Maintain up to date HIPAA policies covering the Privacy, Security and Breach Notification Rules – ensure staff understand their responsibilities to maintain the privacy and security of all PHI, and update the policies periodically.
  2. Conduct a Risk Analysis and follow the Risk Management plan that comes from it. Risk Management is an ongoing responsibility to maintain awareness, a culture of compliance and constant improvement to reduce risk. The Risk Analysis should be repeated at least once a year.
  3. Cooperate with investigators and tell the truth, even if the truth is difficult. Lying in an investigation is a separate offense and could result in a harsher sentence, including jail time.

If you need help getting started, or fine-tuning your HIPAA compliance program, call The HIPAA E-Tool® today.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2021 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free