If you’re just joining our overview of HIPAA compliance, you might want to back up and start at the beginning of this series. In Part 1, we’ll look at common HIPAA violations and associated civil monetary penalties. In this post, we focus on the Privacy Rule and outline the dos and don’ts of PHI use, as well as the far-reaching ramifications of criminal charges for HIPAA violations.
Failure to comply with HIPAA can exceed civil wrongdoing and be classified as a criminal offense. Suspected violations of the criminal provision of HIPAA are forwarded to DOJ, which then oversees the investigation.
In most cases, violations considered criminal involve a breach of conduct as defined and conscribed in the Privacy Rule. As mandated by law, all criminal convictions — felonies and misdemeanors that involve wrongfully and “knowingly” disclosing PHI (unique health identifiers or individually identifiable health information) — must, without exception, incur criminal penalties.
The Privacy Rule applies to all forms of protected health information: electronic, written, or oral. As such, conversations between doctors and staff about patients’ diagnoses/treatments and billing are protected under the law. Similarly, oral disclosure, simply speaking to an unauthorized person in a manner that conveys protected health information, is a crime.
Understanding that knowingly refers to all PHI use without authorization is important. DOJ interprets knowingly as requiring only knowledge of the actions constituting the offense. Knowledge that such actions were in violation of HIPAA is not required for a determination of guilt.
Bottom line: Individuals who violate the Privacy Rule will eventually learn, via criminal prosecution, how their actions violated the Privacy Rule.
As with HIPAA civil penalties, criminal penalties are meted out according to the severity of the criminal violation, as shown in the following table:
|Tier||HIPAA Criminal Violation||Maximum Penalty|
|1||“Knowingly” obtain or disclose individually identifiable health information||Up to $50,000, plus imprisonment up to 1 year|
|2||Offense committed under false pretenses||Up to a $100,000 fine, up to 5 years in prison|
|3||Offense committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm||Up to $250,000, imprisonment up to 10 years|
Privacy and profits. Privacy for personal gain. Any equation with an equal sign between these is trouble. Your patients’ PHI is not for sale.
National healthcare fraud is on the upswing, with a 400 percent increase in annual takedowns since 2013. In 2017, alone, the Federal Government won or negotiated over $2.4 billion in fraud judgments and settlements, which doesn’t even account for state Medicaid monies recovered as part of global federal-state settlements.
Wondering how HIPAA violations amount to fraud? Are you up to speed on the False Claims Act (FCA) and the Anti-Kickback Statute (AKS)? How about the Stark Law? These three regs have been the subject of countless headlines in 2018.
If violating HIPAA’s Privacy Rule isn’t frightening enough, understand that there’s a vast network of tightly woven Federal laws sure to catch offenders.
When the Patient Protection and Affordable Care Act (ACA) became law in 2010, several changes were written into the AKS that linked it to the False Claims Act. The gist is that AKS violations coincide quite easily with liability under the FCA.
As outlined in 42 U.S.C. § 1320a-7b(b) and Social Security Act § 1128B(b), the AKS prohibits a person to knowingly and willfully offer, pay, solicit, or receive any remuneration directly or indirectly for:
Similarly, under HIPAA’s Privacy Rule, it is prohibitive to directly or indirectly receive “remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.”
That said, it’s not uncommon for pharmaceutical and medical device companies, or any member of their workforce, to solicit PHI for sales purposes. This is a clear violation of HIPAA and the AKS on their part, as well as a potential source of downfall to your organization if you, or any one member of your workforce, succumbs to the offer.
Understand that renumeration includes meals, speaking engagements, special services — any revenue opportunity or the receipt of items of monetary value. PHI disclosure without authorization can become the foundation of a false claim suit, particularly when the unlawful arrangement involves claims made to and paid for by a government payer, as often is the case when pharmaceuticals and medical devices are involved.
As part of its settlement with DOJ, the pharmaceutical company Warner Chilcott pleaded guilty to healthcare fraud. According to prosecutors, from 2009 to 2013, the drug maker paid kickbacks to physicians in exchange for prescriptions by paying them “speakers” fees and footing the bill at restaurants. Warner Chilcott paid $125 million in 2015 to resolve its criminal and civil liabilities.
A former Warner Chilcott district manager also pleaded guilty to disclosing identifiable health information and was sentenced to one year of probation, in addition to a $10,000 fine. But the case didn’t end there.
In 2015, prosecutors had accused a Massachusetts gynecologist of violating the AKS by accepting $23,500 from Warner Chilcott in exchange for prescribing its osteoporosis drugs, Atelvia and Actonel.
Prosecutors alleged that the gynecologist served as a “speaker” for the company and received $750 on 31 occasions for holding in-office educational events attended by her staff and a Warner Chilcott sales rep, who furnished the engagements with food.
But prosecutors dropped the kickback charge and instead chose to indict the gynecologist on HIPAA violations.
Why did DOJ change course mid-prosecution? Healthcare privacy lawyers from Hinckley Allen offer a plausible rationale: “Prosecutions for HIPAA privacy violations are on the rise, possibly because they can be far easier for federal prosecutors to prove — and less conceptually complex for a jury to understand — than schemes involving kickbacks, misbranding, or false claims … The elements for demonstrating criminal liability under the Privacy Rule are straightforward.”
The Hinckley Allen team’s theory holds up. In April 2018, the gynecologist was convicted for giving the sales rep access to her patients’ PHI. The gynecologist now faces maximum penalties of a $50,000 fine and one year in prison.
A similar HIPAA violation made headlines in September 2017. Aegerion Pharmaceuticals agreed to pay more than $35 million to resolve criminal liability arising from HIPAA violations involving activities of its sales force. In a connected case, a Georgia pediatric cardiologist pleaded guilty in February 2018 to disclosing his patients’ PHI to an Aegerion sales representative.
Bottom line: Unless you meet one of the Privacy Rule’s exceptions, knowingly using, obtaining, or disclosing individually identifiable health information can saddle you with a $50,000 fine and jail time, plus civil liabilities.
If these cases serve as a warning, which they should, take notice that the Federal Government is eager to prosecute HIPAA violations at every corporate level — from the corporate entities to management and even nonsupervisory employees.
Urgent attention required: Assess your HIPAA and AKS compliance to reduce the risk of a HIPAA or AKS violation and ensure that you are above board in terms of the False Claims Act.
Exercise extreme caution before sharing PHI with commercial third parties.
Criminal prosecutions under HIPAA, and the broad range of conduct for which medical practices can be held liable, require that you remain vigilant. Ignorance of HIPAA regulations does not excuse you from punishment.
Download a FREE copy of What Your Practice Must Know About the HIPAA Privacy & Security Rules to build on your baseline knowledge of HIPAA compliance and effectively train your team.
Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.
Rely on TCI’s best-in-class HIPAA compliance handbook — the HIPAA Handbook 2018 — to establish robust policies, procedures, and employee training. Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also addressed new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.
Understand the laws presiding over your organization — and build a practice-wide culture of compliance — with The Physician Practice Compliance Sourcebook 2018. This comprehensive and practical reference tool will fill in your compliance knowledge and equip you to establish and maintain a risk-proof infrastructure.