Criminal HIPAA Violation

Physician, Rita Luthra, has come under fire for a criminal HIPAA violation. The physician was sentenced to one year probation by the U.S. District Court for the District of Massachusetts for her part in illegal drug kickbacks and healthcare fraud. 

Why Compliancy Group

HIPAA Compliance is an important part of your business, so why not use someone you can trust? Compliancy Group is the only compliance firm to be listed on both Inc. 2020 Best Places to Work and 2020 Inc. 5000 list of the fastest-growing private companies in America. By working with us, you are welcomed into the safety of our family.

Put your trust in us

Criminal HIPAA Violation: What Happened

During an investigation into Warner Chilcott, a pharmaceutical company that produces Actonel and Atelvia, the Department of Health and Human Services (HHS) interviewed Dr. Rita Luthra. The drug company hired Luthra as a spokesperson for Actonel and Atelvia, while she prescribed the drugs to her patients. 

Upon questioning, Luthra lied to investigators claiming that the company did not pay her for speaking engagements, but had paid her to produce a research paper on the drugs. She also instructed her Medical Assistant to lie to investigators on her behalf.

During her relationship with the drug company, not only was she accepting illegal kickbacks from the company, she was also disclosing her patient’s protected health information (PHI) to them without patient authorization. As such, she was convicted on two counts for the criminal HIPAA violation, and sentenced to one year probation for her part in the scheme.

The counts were:

  1. Aiding and abetting the unauthorized disclosure of protected health information; and
  2. Obstructing a criminal investigation by lying to investigators.

Disclosing Protected Health Information

When disclosing PHI outside of treatment, payment, or healthcare operations, you must receive prior written patient consent. The only exception to this is de-identified PHI for research purposes. For PHI to be considered “de-identified” all personal identifying information must be removed before the data is disclosed. If there is even a remote possibility that the information can be linked to a specific patient, the data is not sufficiently de-identified.