We do not often see criminal penalties for HIPAA, but when they do happen it can be important to take note. If you have not already, it might be useful to brief your staff on this situation to remind them of the seriousness of protecting patient information.
On April 30 the Department of Justice announced a federal jury convicted Rita Luthra, a Springfield, Massachusetts gynecologist of a criminal HIPAA violation and obstructing justice. According to the Department of Justice, Luthra allowed a sales representative from a drug company to access protected health information in her patients’ files. She allegedly also provided false information to federal agents when interviewed about her relationship with the drug company.
This type of disclosure was neither permitted nor required under HIPAA, and therefore the only way it could be made is with an authorization by each patient. It appears that was not obtained, and therefore this was an illegal disclosure of PHI.
Luthra has not been sentenced yet, but the HIPAA violation carries a sentence of no greater than one year in prison and/or a fine of $50,000 and one year of supervised release.
It is unclear whether this was known by Luthra to be an impermissible disclosure of PHI or not, however, it does indicate that permitting inappropriate access to PHI is taken seriously by prosecutors. It is necessary for all organizations to have a strong understanding of what PHI may be released, what must be released, and what may only be released with an authorization. Otherwise, organizations are placing themselves at risk for fines and placing their staff at risk of criminal punishment