Nearly a year after being convicted, three pharmaceutical company employees are sentenced for healthcare fraud and HIPAA violations.
On Oct. 28, three Warner Chilcott, a pharmaceutical company based in Rockaway, N.J., employees were sentenced for violations of healthcare fraud and violating HIPAA in order to increase sales of an osteoporosis drug. Criminal violations of HIPAA are rare, however, the cases of the three district sales managers are significant for two reasons. First, it shows the DOJ's willingness to prosecute HIPAA violations, especially when it involves utilizing protected health information (PHI) in relation to sales. Second, Warner Chilcott was not a covered entity. Therefore, it underscores the importance of HIPAA compliance.
Three district managers, who lived in North Carolina, California and New York, were sentenced to various months of home confinement, ordered to forfeit various amounts of money, and pay varying fines. These district managers and their sales representatives accessed patients' PHI in order to submit prior authorizations for Atelvia, an osteoporosis drug.
As a refresher, generally, the sale of PHI is "where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information." If a patient's PHI is being sold, physicians and other covered entities need to include this express provision in their HIPAA Authorization Forms and Notice of Privacy Practices. "Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in § 164.501 of this subpart.(ii) Such authorization must state that the disclosure will result in remuneration to the covered entity."
Hence, the takeaways for physicians are: (1) you need to expressly obtain authorization from patients before selling their PHI; (2) this area of your HIPAA Authorization Form should be bold and require initials, so that authorization is less likely to be contested as misleading or hidden; and (3) make sure that a business associate agreement is also in place. Taking precautions up front can prevent severe penalties in the long run.