A pediatric cardiologist recently sentenced to six months’ probation is serving as the latest reminder that violations of the Health Insurance Portability and Accountability Act (“HIPAA”) can lead to more than civil monetary penalties and reputational damage associated with a breach. According to The National Law Review, this is the second case within a six-month period in which a physician was prosecuted by the U.S. Department of Justice (“DOJ”) for such a HIPAA violation, reflecting a potential trend that prosecutors see this type of infraction as low-hanging fruit especially when brought in conjunction with other criminal charges. Although in each case the physician was ultimately sentenced to probation for the HIPAA violation, these cases should serve as a stark reminder to covered entities that HIPAA violations can have significant consequences.
In United States v. Montaña, the US Department of Justice prosecuted an individual physician, Dr. Eduardo Montaña, in connection with the DOJ’s investigation into Massachusetts-based pharmaceutical company Aegerion Pharmaceuticals, Inc. The investigation surrounded Aegerion’s prescription drug Juxtapid — a drug that the pharmaceutical firm misbranded under the Federal Food, Drug, and Cosmetic Act. 
According to filings, the physician allowed Aegerion sales representatives to access protected health information (“PHI”) of patients who were not diagnosed with a condition treated by Juxtapid to identify potential candidates for the drug without the patient’s consent — a wrongful and unauthorized disclosure of PHI under HIPAA. The filings allege that the Aegerion representative used a personal email account to send Dr. Montaña a list of 102 patients identified as potential candidates and ended the email with the following statement: “By the way, I am sending this to you from my personal email because of the patient info :).”
In the course of this relationship, Dr. Montaña allowed the Aegerion representatives to have free reign in his electronic medical records (“EMR”) system, handing out his personal access code and explaining how to navigate that system through a text message exchange with an Aegerion sales representative.
The above disclosures represent blatant violations of HIPAA’s privacy regulations (the “Privacy Rule”) and security regulations (the “Security Rule”). In allowing the Aegerion representatives to freely navigate the practice’s electronic medical record system, Dr. Montaña failed to observe and maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI and preventing impermissible access or disclosure.
Ultimately, Dr. Montaña pleaded guilty in February 2018 to a misdemeanor count of wrongful disclosure of IIHI and was faced with up to one year of imprisonment.
While the above example relates to the prosecution of an individual provider, covered entities should be aware that the acts of an individual physician may also subject a physician’s practice to additional exposure, including civil monetary penalties, in the event that OCR decides to put the practice under the microscope and determines the practice failed to have adequate policies, procedures, and safeguards in place to prevent such violations from occurring. Therefore, it is critical for employers to adequately train and educate providers and staff about the importance of compliance with HIPAA requirements. For expert HIPAA compliance training, contact the experts at HIPAAcraticRx.com.