Following pleading guilty to a criminal violation of HIPAA Rules, a physician has received 6 months’ probation as an alternative to a jail term and financial penalty for the wrongful disclosure of patients’ PHI to a pharmaceutical company.
The Department of Justice in Massachusetts heard the legal case in conjunction with a case against Massachusetts-based pharma firm Aegerion.
In September 2017, the Novelion Therapeutics subsidiary Aegerion chose to to plead guilty to misbranding the prescription drug Juxtapid. The case also included deferred prosecution in connection with criminal liability under HIPAA for causing false claims to be sent to federal healthcare programs for the drug.
Aegerion confirmed that they conspired to obtain the individually identifiable health information of patients without legal permission for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in financial penalties to resolve criminal and civil liability.
The MA DOJ also charged a Georgia-based pediatric cardiologist with criminal breaches of HIPAA Rules for permitting a sales representative of Aegerion to access the confidential health information of patients without first receiving patient consent. The sales rep was permitted to see the data of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify possible candidates for the drug.
This is the second criminal HIPAA violation case of this type in Massachusetts in the past four months which lead to probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra received a sentence of one-year probation over payments received by a pharmaceutical firm (Warner Chilcott) for giving sales reps access to the individually identifiable health information of patients for financial gain. While prosecutors were urging a fine and a jail term to be applied to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”
While probation was received in each of these legal actions, a major fine, jail term, and loss of license are real possibilities for physicians discovered to have criminally breached HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and a prison sentence of up to one year.