Physicians Convicted of Criminal HIPAA Violations but Avoid Jail: Lessons Learned?
A pediatric cardiologist recently sentenced to six months’ probation is serving as the latest reminder that violations of the Health Insurance Portability and Accountability Act (“HIPAA”) can lead to more than civil monetary penalties and reputational damage associated with a breach. This is the second case within a six-month period in which a physician was prosecuted by the U.S. Department of Justice (“DOJ”) for such a HIPAA violation, reflecting a potential trend that prosecutors see this type of infraction as low-hanging fruit especially when brought in conjunction with other criminal charges. Although in each case the physician was ultimately sentenced to probation for the HIPAA violation, these cases should serve as a stark reminder to covered entities that HIPAA violations can have significant consequences.
This alert describes how the physicians criminally violated HIPAA and why the DOJ may be targeting these types of violations for criminal prosecution.
HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (“IIHI”)  that are made “knowingly” and in violation of HIPAA.  An individual may be subject to criminal penalties if he or she knowingly (i) uses or causes to be used a unique health identifier, (ii) obtains IIHI, or (iii) discloses IIHI to another individual. 
In a Memorandum of Opinion released in 2005, the DOJ explains that “knowingly” refers to knowledge of the facts that constitute the offense and not knowledge of the law being violated.  The maximum criminal penalties under HIPAA range from $50,000 to $250,000 and from one year to 10 years imprisonment, with the steepest penalties reserved for situations where the violation was designed to achieve “commercial advantage, personal gain, or malicious harm.”  The DOJ’s Memorandum of Opinion emphasizes that “[s]uch punishment is reserved for violations involving ‘unique health identifiers’ and [IIHI]… Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.” 
UNITED STATES V. MONTAÑA
In United States v. Montaña, the DOJ prosecuted an individual physician, Dr. Eduardo Montaña, in connection with the DOJ’s investigation into Massachusetts-based pharmaceutical company Aegerion Pharmaceuticals, Inc. The investigation surrounded Aegerion’s prescription drug Juxtapid — a drug that the pharmaceutical firm misbranded under the Federal Food, Drug, and Cosmetic Act. 
According to DOJ filings, the physician allowed Aegerion sales representatives to access protected health information (“PHI”) of patients who were not diagnosed with a condition treated by Juxtapid to identify potential candidates for the drug without the patient’s consent — a wrongful disclosure of PHI under HIPAA.  The filings allege that the Aegerion representative used a personal email account to send Dr. Montaña a list of 102 patients identified as potential candidates and ended the email with the following statement: “By the way, I am sending this to you from my personal email because of the patient info :).”
In the course of this relationship, Dr. Montaña allowed the Aegerion representatives to have free reign in his electronic medical records (“EMR”) system, handing out his personal access code and explaining how to navigate that system through a text message exchange with an Aegerion sales representative. 
The above disclosures represent blatant violations of HIPAA’s privacy regulations (the “Privacy Rule”) and security regulations (the “Security Rule”). First, the Privacy Rule limits and conditions the use and/or disclosure of PHI without patient authorization to specific circumstances, namely for treatment, payment, or health care operations purposes.  Dr. Montaña’s provision of several patients’ PHI to Aegerion without their authorization did not fall within any of the Privacy Rule’s required or permitted uses and therefore represent a wrongful disclosure of PHI under the Privacy Rule.
Dr. Montaña’s alleged practices also ran afoul of the Security Rule, which applies to all IIHI that a covered entity creates, receives, maintains, or transmits in electronic form (“e-PHI”).  In allowing the Aegerion representatives to freely navigate the practice’s electronic medical record system, Dr. Montaña failed to observe and maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI and preventing impermissible access or disclosure.
Ultimately, Dr. Montaña pleaded guilty in February 2018 to a misdemeanor count of wrongful disclosure of IIHI and was faced with up to one year of imprisonment.
UNITED STATES V. LUTHRA
In United States v. Luthra, a 65-year-old former gynecologist from Massachusetts was arrested and convicted of a criminal violation of the Privacy Rule.  Dr. Luthra was found to have disclosed her patients’ PHI to a pharmaceutical sales representative in exchange for illegitimate speaking fees so that the sales representative could identify patients for whom Dr. Luthra could submit a prior authorization form to explain to insurance companies why this particular drug was required.  Dr. Luthra was also convicted of lying to Office of Inspector General investigators about her relationship with the salesmen and instructing her staff to do the same. 
In convicting Dr. Luthra, the jury determined that she made the above wrongful disclosures with knowledge that they contained IIHI and that she did so without the patients’ authorization — the exact type of egregious violation that the DOJ Memorandum of Opinion recognized as being worthy of criminal penalties. During sentencing, prosecutors advocated for a term of 21 months imprisonment as well as a $40,000 penalty.  However, the judge ultimately decided to impose a sentence of one year’s probation. In addition, at the time of her arrest, Dr. Luthra’s license to practice medicine was revoked.
The Montaña and Luthra cases should not be read to suggest that commonplace violations of HIPAA will lead to imprisonment; rather, in each of these cases, HIPAA violations were added by prosecutors to a number of other categories of offenses to bolster their case against the defendant. However, the use of these violations does indicate that HIPAA could increasingly become a focal point of future prosecutions under fact patterns not very different than those described above.
Additionally, while the above examples relate to the prosecution of individual providers, covered entities should be aware that the acts of an individual physician may also subject a physician’s practice to additional exposure, including civil monetary penalties, in the event that OCR decides to put the practice under the microscope and determines the practice failed to have adequate policies, procedures, and safeguards in place to prevent such violations from occurring. Therefore, it is critical for employers to adequately train and educate providers and staff about the importance of compliance with HIPAA requirements.
Covered entities should also consider whether allowing third parties to have unauthorized access to EMR systems could be considered a breach of the covered entity’s system access agreement with its EMR provider. These agreements typically contain a representation that the covered entity will put in place sufficient measurers to only allow authorized users to access the software and, by providing access to unauthorized users, the covered entity may be unknowingly exposing itself to civil liability.
Although these may appear to be isolated and unusual examples at first glance, covered entities should be cognizant that these practices may in fact be more common than they might expect. Moreover, while the individuals in these most recent cases escaped significant jail time or severe financial penalties, the consequences that often accompany a HIPAA conviction can potentially be widespread and severe.
 The term “individually identifiable health information” means any information, including demographic information collected from an individual, that — (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and — (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. 42 U.S.C. § 1320d(6).
 See 42 U.S.C. § 1320d‒6; see also U.S. Dep’t of Just., Scope of Criminal Enforcement Under 42 U.S.C. § 1320d‒6 (June 1, 2005).
 See id.
 U.S. Dep’t of Just., Scope of Criminal Enforcement Under 42 U.S.C. § 1320d‒6 (June 1, 2005).
 42 U.S.C. § 1320d‒6.
 See id.
 U.S. v. Montaña, No. 18-CR-10044 (D. Mass. Feb. 26, 2018)
 45 C.F.R. § 164.502(a)(1).
 Id. § 160.103
 United States v. Luthra, No. 15-CR-30032-MGM (D. Mass. Aug. 1, 2017).
 Luthra, Sentencing Memorandum, No. 15-CR-30032-MGM.