August 20, 2020
The First Circuit Court of Appeals recently affirmed the criminal conviction of a Massachusetts doctor for violating HIPAA. As we have previously written in our Whistleblowers Guide to HIPAA, the Health Insurance Portability and Accountability act of 1996 (“HIPAA”) establishes privacy protections for patients’ health information. “Protected health information,” or PHI, is patient-identifying information protected under HIPAA. Federal law prohibits wrongfully obtaining or disclosing PHI. Doing so is a crime.
A jury found that the doctor, Rita Luthra, wrongfully disclosed PHI by allowing a pharmaceutical sales representative to access patients’ health information. Specifically, Dr. Luthra asked a representative of Warner Chilcott to assist her medical assistant in doing prior authorization paperwork. Many insurance companies required prior authorizations to cover Atelvia, a Warner Chilcott drug used to treat osteoporosis. Because Atelvia was more expensive than a generic alternative, insurance companies often asked the prescribing physician to complete a form explaining why a patient needed it. Without the prior authorization, insurance plans would not pay for the prescription.
Evidence at trial showed that the sales representative accessed PHI and that Dr. Luthra knew about it. Both the salesman and medical assistant testified that Dr. Luthra knew that the salesman saw patient records. In addition, after federal agents investigating Warner Chilcott interviewed Dr. Luthra, she made things worse for herself. Dr. Luthra falsely told agents that, although the salesman helped with prior authorizations, he did not have access to PHI.
The jury convicted Dr. Luthra of aiding and abetting the wrongful disclosure of individually identifiable health information and of obstructing a criminal investigation of a health care offense. She faced a maximum sentence of one year on the first count and five years on the second. The district court later sentenced Dr. Luthra to one year of probation.
Dr. Luthra’s case is not unique. Federal prosecutors have brought charges against other individuals and companies for wrongfully disclosing PHI. For example, the U.S. Attorney’s Office in Massachusetts pursued criminal HIPAA charges in the cases below.
As noted above, Dr. Luthra’s misconduct was uncovered during a federal investigation of Warner Chilcott. That investigation resulted in Warner Chilcott paying $125 million to resolve its criminal and civil liability for illegally promoting drugs, including Atelvia. As part of the settlement, the company pleaded guilty to a criminal information charging it with health care fraud. According to the information, Warner Chilcott’s fraudulent conduct included its sales representatives improperly accessing PHI to help physician offices prepare prior authorizations for Atelvia.
In 2017, Aegerion Pharmaceuticals pleaded guilty and paid $35 million to resolve criminal and civil charges relating to the marketing of its drug Juxtapid. As part of the settlement, Aegerion entered into a deferred prosecution agreement to resolve a felony charge that it conspired to obtain PHI for commercial gain. Specifically, Aegerion admitted that Aegerion sales personnel illegally accessed HIPAA-protected patient information held by physicians in order to identify patients who might be candidates for Juxtapid treatment.
As noted above, Dr. Luthra was convicted of a crime for allowing a Warner Chilcott salesman to access patient records. Similarly, as part of the Aegerion investigation, a Georgia physician pleaded guilty to wrongfully disclosing protected health information. The physician, a pediatric heart specialist, violated HIPAA by giving an Aegerion sales rep a list of patients that contained PHI. The court sentenced him to six months of probation.
Violations of HIPAA also may give rise to False Claims Act cases. This is because when an entity submits a claim to the government, it promises that has followed the government’s health care laws – including HIPAA. In False Claims Act jargon, this is called the implied certification theory.
At least one court has found that violations of HIPAA can violate the False Claims Act.
A whistleblower brought a False Claims Act case against a home healthcare company. One of the allegations was that the defendants “searched confidential medical charts at different facilities to collect the names of patients they could solicit for home health services.” United States ex rel. O’Donnell v. Am. at Home Healthcare & Nursing Servs., Ltd., Case No. 14-cv-1098, 14 (N.D. Ill. Jan. 8, 2018). The whistleblower argued that illegally using PHI for solicitation violated the defendants’ implied certifications that they complied with the law. The Court concluded that the allegations stated a material violation of the False Claims Act because “information that a home health agency has pilfered protected health data to solicit patients has a good probability of affecting a payment decision.” Id. at 16.
Read more about how HIPAA violations can lead to False Claims Act liability in our Whistleblowers’ Guide to HIPAA
As the above cases make clear, both companies and individuals must respect HIPAA. Those who ignore its patient privacy protections can and have been criminally prosecuted. They have also faced liability under the False Claims Act. Sales personnel who ignore HIPAA constraints expose their companies to severe consequences. Likewise, physicians who fail to protect PHI in their records can face prosecution.