A doctor pleaded guilty to committing a criminal violation of HIPAA Rules for wrongfully disclosing the PHI of patients to a pharmaceutical company and was given 6 months’ probation instead of imprisonment and a fine.
The Department of Justice in Massachusetts prosecuted the case along with a case filed against pharma company Aegerion. In September 2017, Aegerion, a Novelion Therapeutics subsidiary, opted to plead guilty for mis-branding the prescription medication Juxtapid. The case also included deferred prosecution for criminal liability under HIPAA.
Aegerion admitted conspiracy to acquire patients’ individually identifiable health information without consent for financial gain, a violation of HIPAA, 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3). Aegerion paid $35 million in penalties to settle the criminal and civil violations.
The DOJ additionally charged a pediatric cardiologist based in Georgia with a criminal violation of HIPAA Rules for permitting a sales agent of Aegerion to access to the sensitive health data of patients without getting their consent first. The sales agent was permitted to see the data of patients who were not diagnosed with a health condition that need Juxtapid (lomitapide) as treatment in order to identify new prospective patients for the medicine.
This is the second time that a criminal HIPAA violation case has been prosecuted in Massachusetts in recent months. In September 2018, Dr. Rita Luthra, a Massachusetts gynecologist, was also given probation for receiving payments from a pharmaceutical company (Warner Chilcott) for PHI access. A judge gave her one year of probation for allowing a sales agent to access patients’ individually identifiable health information. The prosecutors had demanded a fine and a prison term to deter others from similar violations, but Judge Mastroianni mentioned in his judgment that the loss of freedom to practice is a considerable deterrent.
Although probation was given in both cases, other physicians found to have committed a criminal violation of the HIPAA Rules could face a substantial financial penalty and jail term. A fine of up to $50,000 and up to 12 months in jail is possible for a criminal violation of HIPAA.