HIPAA Lessons from the Warner Chilcott Settlement
Last week, the US Attorney’s Office in Boston announced that drug company Warner Chilcott agreed to plead guilty to health care fraud and pay $125 million to resolve criminal and civil liability arising out of allegations involving the promotion of the company’s drugs. Continuing its focus on individuals, the former President of the Company has been charged with conspiring to pay kickbacks to physicians. The government interest in prosecuting illegal drug promotion activities and illegal payments to physicians has been a longstanding priority. However, in a new twist that should be of great interest to the health care community, the government has brought criminal charges under the Health Insurance Portability and Accountability Act (HIPAA) against company employees as well as the physician practice owner for the alleged unlawful access and disclosure of patient medical records. These HIPAA violations could result in prison sentences, significant fines and exclusion from the Medicare program.
According to the Information filed last week, district managers allegedly encouraged their sales representatives to flag patient medical records with brochures about the company’s drug. The sales reps also were accused of filling out the required prior authorization forms for the physician office and, in some instances, taking patient records home in order to complete those prior authorizations. In order to conduct such activities, the sales representatives would have had to access the patients’ medical records.
It is not uncommon for hospitals and medical practices to allow DME suppliers, home care and other providers to access their patients’ medical records in connection with facilitating follow up care for patients. Understanding the difference between lawful access for treatment purposes, which is permitted under HIPAA, and an unlawful access or disclosure that will subject a provider to penalties under HIPAA is critical. Now is the time for providers and vendors alike to reexamine their HIPAA policies and retrain their staff to ensure that all employees understand how HIPAA may impact sales, marketing and care related activities.