Criminal HIPAA violations are becoming more and more commonplace–and this recent example proves that the risks may be growing.
A gynecologist based out of Springfield, Massachusetts was convicted of a criminal violation of HIPAA, relating to the illegal distribution of protected health information (PHI) with pharmaceutical sales representatives. The physician received kick-backs from pharmaceuticals company, Warner Chilcott, amounting to $23,500.
The physician purportedly shared confidential PHI with Warner Chilcott to allow the company to specifically target patients with certain key conditions. The illegal sharing of PHI for these purposes is a direct violation of the HIPAA Privacy Rule’s protections, which afford patients the right to the privacy and integrity of their PHI. PHI is any demographic information that be used to identify a patient, including name, date of birth, SSN, etc.
The case in question stems from a larger investigation by the Department of Justice (DOJ) into Warner Chilcott for illegal marketing practices. Warner Chilcott pleaded guilty to felony health care fraud in 2015 and was issued a $125 million settlement with the DOJ. This isn’t the first criminal HIPAA conviction to come out of the Warner Chilcott case, either.
More than anything, this case proves that the indirect effects of a violation can have far reaching consequences beyond mere OCR HIPAA fines. Though sentencing is still forthcoming, it wouldn’t be without precedent to see the gynecologist receive jail time, as is often the case with HIPAA criminal convictions.
HIPAA is more wide-reaching than just the privacy and security standards it’s most commonly associated with. The regulation also specifically established grounds for criminal liability for illegal disclosures of PHI.
Former Office of Civil Rights (OCR) Director Jocelyn Samuels oversaw the criminal conviction of a respiratory therapist in 2016 for the wrongful disclosure of PHI. She’s quoted in the OCR press release, stating: “While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”
With both OCR and DOJ officials demonstrating a history of criminal prosecution and a willingness to seek HIPAA criminal convictions in the future, HIPAA violations mean more than just a slap on the wrist.