It is a relatively rare occurrence for the Department of Justice to pursue cases against individuals for criminal HIPAA violations, although action is being taken against a pharma company manager for alleged criminal HIPAA violations.
Charges of Criminal HIPAA Violations in Pharmaceutical Fraud Scheme
A case has been filed against Landon Eckles, a district manager for the pharmaceutical firm Warner Chilcott, for criminal HIPAA violations committed in 2011. Eckles is alleged to have wrongfully accessed and disclosured the personally identifiable health information of patients.
The case against Eckles is part of the case filed against Warner Chilcott for criminal and civil liability for illegally promoting some of its pharmaceutical products and paying kickbacks to physicians for prescribing its drugs. Warner Chilcott was recently sentenced to pay a criminal fine of $125 million by the U.S. District Court in Boston.
In 2011, Warner Chilcott launched the drug Atelvia; however, there was poor insurance coverage in Eckles’s district. Many insurance companies required prior authorizations before covering the drug. Those authorizations needed to be signed by patients’ physicians.
The DOJ alleged that Eckles told sales representatives to fill out the prior authorizations if physicians refused to fill them out. In order to do that, patients’ protected health information needed to be accessed. Eckles was also alleged to have personally filled out prior authorizations. Eckles and another individual were also accused of accessing patients’ charts and placing Atelvia brochures in them to remind physicians to prescribe the drug.
Eckles pleaded guilty to criminal HIPAA violations last July and is due to be sentenced later this year. The penalty for criminal HIPAA violations in his case will be up to 10 years in jail plus 3 years of supervised release, exclusion from the Medicare program, and a fine of up to $250,000.
Cases are occasionally pursued for criminal HIPAA violations, although these are usually for particularly egregious behavior and are rare. However, healthcare organizations are being held accountable for data breaches that have occurred as a result of a failure to follow HIPAA guidelines. The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently stepped up enforcement of HIPAA Rules. A number of healthcare organizations have recently reached settlements with OCR for HIPAA violations that have directly contributed to the exposure or theft of Protected Health Information. OCR is likely to continue to come down heavily on organizations that blatantly disregard HIPAA Rules.