Running a physician practice is hard work, fast-paced and stressful. But accepting help from a pharmaceutical company to streamline prescription authorizations is not worth the risk. HIPAA carries criminal penalties if covered entities intentionally disclose protected health information.
Dr. Rita Luthra was a gynecologist in the Boston area who knowingly allowed a pharmaceutical sales representative to access her patients’ protected health information (PHI). Many insurance companies required prior clearance to cover the osteoporosis drug Atelvia. Because Atelvia was more expensive than a generic alternative, insurance companies often asked the prescribing physician to complete a form explaining why a patient needed it. Without the prior clearance, insurance plans would not pay for the prescription. The drug company benefited from helping Dr. Luthra to write more prescriptions and she benefited by receiving payments for education and research for the drug company. (The drug company, Warner Chilcott, paid $125 million to settle civil and criminal penalties in relation to health care fraud and HIPAA violations.)
Dr. Luthra was convicted of aiding and abetting the wrongful disclosure of individually identifiable health information – a crime under HIPAA. The court also found that she lied to federal investigators and told her assistant to lie, to try to avoid a HIPAA violation, but it backfired when the prosecutors learned the truth because obstructing an investigation is also a crime.
She faced a maximum sentence of one year on the first count and five years on the second. The district court later sentenced her to one year of probation instead. The court was lenient because of her many years of providing care to underprivileged women in the Boston area, some of whom were unable to pay for her services. But she lost her medical license and closed her practice.
The HIPAA Criminal Statute
Most health care providers are familiar with HIPAA, but many may not realize that violations can be punished as federal crimes. When violations are criminal in nature they are prosecuted by the Department of Justice (DOJ) rather than the Department of Health and Human Services (HHS).
It is illegal to knowingly “use or cause to be used a unique health identifier,” obtain individually identifiable health information, or disclose such information to another person. A person illegally “obtains” or “discloses” information if it is maintained by a HIPAA covered entity and the person obtains or discloses it without authorization from the patient. In Dr. Luthra’s case, she knowingly gave access to her patients’ PHI to the pharmaceutical sales rep without her patients’ authorization. The crime carried a possible penalty of one year in jail.
Avoid HIPAA Prosecution, Fines and Jail
To avoid investigations by HHS for civil penalties, and prosecution by the DOJ for criminal penalties, all business associates and covered entities should:
- Maintain up to date HIPAA policies covering the Privacy, Security and Breach Notification Rules – ensure staff understand their responsibilities to maintain the privacy and security of all PHI, and update the policies periodically.
- Conduct a Risk Analysis and follow the Risk Management plan that comes from it. Risk Management is an ongoing responsibility to maintain awareness, a culture of compliance and constant improvement to reduce risk. The Risk Analysis should be repeated at least once a year.
- Cooperate with investigators and tell the truth, even if the truth is difficult. Lying in an investigation is a separate offense and could result in a harsher sentence, including jail time.
If you need help getting started, or fine-tuning your HIPAA compliance program, call The HIPAA E-Tool® today.