Former Physician Convicted of Criminal HIPAA ViolationCase Involved Unauthorized Access to Patient Records
A former Massachusetts gynecologist has been convicted in a rare case involving a criminal HIPAA violation.
The case centers on the doctor allegedly giving a pharmaceutical salesperson access to her patients' medical records in order to produce "prior authorizations" to persuade the individuals' insurers to provide coverage for prescription drugs.
On April 30, a jury in a federal court in Massachusetts convicted Rita Luthra, 67, a former gynecologist at the Women's Health and Education Center in Springfield, Mass., of violating HIPAA, as well as obstructing a criminal healthcare investigation.
Motion to Acquit
U.S. District Court Judge Mark Mastroianni has not yet scheduled sentencing. A court date is set for May 16, when Mastroianni is expected to decide on a "Rule 29" motion by Luthra's attorney, Stephen Spelman, seeking to set aside the guilty verdicts. Spelman tells Information Security Media Group that he's arguing that evidence put forward by the prosecution was insufficient to justify the jury's verdict.
If the conviction is upheld, Luthra faces a sentence of up to one year in prison and/or a fine of up to $50,000 on the HIPAA conviction. On the charge of obstructing a criminal healthcare investigation, Luthra faces a sentence of up to five years in prison and a fine of up to $250,000, the Department of Justice says.
Link to Larger Case
The case against Luthra is related to a larger, complex federal healthcare fraud case prosecuted against pharmaceutical maker Warner Chilcott.
In April 2016, the U.S. District Court in Boston - the same court handling Luthra's case - ordered Warner Chilcott to pay $125 million to resolve criminal and civil liability arising from the illegal promotion of certain medications (see Drug Fraud Scheme Includes Criminal HIPAA Violations).
The fraud scheme involved illegal marketing of pharmaceuticals and the payment of kickbacks to physicians to prescribe the company's products, prosecutors in that 2016 case said. The drug maker submitted "false, inaccurate, or misleading prior authorization requests to federal healthcare programs for the osteoporosis medications Atelvia and Actonel," according to the DoJ.
That case also involved several individual prosecutions of former Warner Chilcott employees. Among those prosecuted was a former district manager who earlier pleaded guilty to wrongful disclosure of individual identifiable health information, a criminal violation of HIPAA.
Spelman tells ISMG that Luthra was one of nearly 2,000 doctors who were "consultants" for Warner Chilcott regarding the drug Atelvia. "Many of those doctors let Warner Chilcott pay for parties on yachts, dinners at fancy restaurants, etc., and let Warner Chilcott reps take their patient files home. Dr. Luthra did none of that, yet was the only doctor prosecuted," he claims.
Luthra in 2015 voluntarily surrendered her license to practice medicine.
The DoJ declined to comment on the case.
Case Against Luthra
In the indictment filed in 2015 against Luthra, prosecutors alleged that she "knowingly and willfully solicited and received remuneration" from Warner Chilcott between October 2010 and November 2011 of approximately $23,500 for "speaking fees" in exchange for writing prescriptions for Warner Chilcott's osteoporosis drugs, for which payment was made in whole or in part under Medicare.
Prosecutors say that in January 2011, Warner Chilcott launched Atelvia as a replacement for an older drug. Insurance plans, however, generally did not include Atelvia on their formularies, primarily because a far less expensive generic bisphosphonate-generic - Fosamax - was available, the indictment notes. "These insurance plans would not pay for Atelvia unless a physician submitted a 'prior authorization' explaining why the patient needed Atelvia instead of ... any other bisphosphonate on the market," according to the indictment.
When Warner launched Atelvia, Luthra started receiving numerous denials from insurance companies for payment for prescribing the drug, prosecutors say. Luthra then asked the Warner Chilcott sales rep to help the doctor's medical assistant in compiling PAs, prosecutors say.
This is where the alleged HIPAA violation took place. "The sales representative had access to Luthra's patients' protected health information, and used the information to fill out the PAs," prosecutors say. "The medical assistant would then give Luthra the PAs to sign."
Related to the obstruction charge, the indictment notes that in 2014, when federal agents were investigating the healthcare fraud case against Warner Chilcott, Luthra told investigators that the sales rep helped prepare the PAs, but didn't have access to patient records. Prosecutors also allege that Luthra instructed her medical assistant to also tell federal agents that the sales rep did not access patient records.
Missing Business Associate Agreement?
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says it appears the alleged HIPAA violation involving Luthra might have been easily avoided.
"The HIPAA situation in this case seemingly could have been addressed by a business associate agreement," he says. "There is Department of Health and Human Services guidance that specifically discusses medical company representatives assisting healthcare providers as a business associate."
Legal experts note that prosecutions - and convictions - in cases involving criminal HIPAA violations are uncommon.
"They are rare because law enforcement and prosecutors have limited resources to investigate cases and bring prosecutions, and HIPAA violations often are not at the top of their list," Greene says.
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes that criminal prosecutions under HIPAA are usually tied to bigger criminal cases. "They have fallen into a couple of categories - theft of patient info to commit identity theft or healthcare fraud, selling patient data to tabloids or some other sale related to an improper disclosure," he says.
"All of these cases have involved clear wrongdoing - there was no interpretation question or mistake element," he says. "This [Luthra] case is modestly different, but I doubt the case would have been prosecuted if it wasn't part of a broader fraud scheme."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says in the Luthar case, it is important to consider the larger context for the motivation of why the Warner Chilcott pharmaceutical salesperson was provided access to PHI. "The ultimate goal was to fabricate clinical justification to support approval of prescribing a pharmaceutical," he says. "The HIPAA criminal statute is in place precisely because even the best information security controls can be defeated by a determined insider who looks to violate the confidentiality or corrupt the integrity of a patient's PHI."
Among other criminal cases involving HIPAA was a 2013 case involving Denetria Barnes, a former nursing assistant at a Florida assisted living facility, who was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.
And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
While those cases involved multiyear federal prison sentences, most other defendants sentenced for criminal HIPAA violations have generally gotten lighter sentences.
For example, in November 2014, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal email account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy (see Sentencing in S.C. Medicaid Breach Case).
And in a 2010 case, former UCLA Healthcare System surgeon Huping Zhou, M.D., was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others (see HIPAA Violation Leads to Prison Term).
More to Come?
"We will continue to see HIPAA criminal cases pretty sporadically, likely cases where HIPAA is added to other charges, or particularly egregious privacy violations where the defendant allegedly personally profited from violating HIPAA - such as selling medical information," Greene predicts.
Nahra offers a similar assessment. "I will expect to continue to see criminal cases in these clear wrongdoing situations, but doubt that this will ever realistically be expanded to real judgment calls on HIPAA - and I don't think criminal charges should apply in those situations," he says.