HRCAlerts112515_HIPAA

Government prosecution of pharmaceutical companies for alleged illegal promotion of their products has been steady for many years, and drug company Warner Chilcott, LLC recently agreed to plead guilty and pay $125 million to resolve criminal and civil liability for healthcare fraud. The case highlights vulnerability of providers with novel prosecution for violation of the Health Insurance Portability and Accountability Act (HIPAA) privacy protections. According to a Department of Justice press release, three drug company employees have pleaded or agreed to plead guilty to criminal HIPAA violations and a physician practice owner has also been indicted for alleged unlawful access and disclosure of patient medical records in violation of HIPAA. Allegedly, in an effort to facilitate insurance approval for Warner Chilcott products, district sales managers encouraged sales representatives to complete prior authorization forms for individual patients and to place drug brochures in patient charts. Neither of these activities could take place without access to protected health information in patient medical records, a HIPAA violation. Sales representatives were additionally accused of taking patient records home to complete authorization forms in some instances. Both the parties accessing the information and the party granting unauthorized access (i.e., the physician) may be subject to prison sentences, monetary fines, and exclusion from participation in federal healthcare programs.

HRC Recommends: Despite established HIPAA privacy and security standards, patients remain vulnerable to violations by providers and their business associates. Likewise, covered entities expose themselves to a variety of serious consequences in response to violations. Healthcare providers and organizations must ensure that all employees and nonemployee professional staff, including physicians, leadership, office staff, and other individuals that come within the HIPAA privacy rule's definition of "worforce," participate in competency-based education on the HIPAA standards and the facility's privacy policy to ensure that protected health information is consistently treated in the appropriate manner. Training should specifically delineate between allowable and unallowable disclosures to business associates under HIPAA's treatment, payment, and operation provisions as well as the Act's marketing rules.

Topics and Metadata

Topics

Health Information Privacy; Litigation

Caresetting

Hospital Inpatient; Hospital Outpatient; Physician Practice

Clinical Specialty

Roles

Risk Manager; Legal Affairs; Corporate Compliance Officer; Healthcare Executive

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published November 25, 2015

Who Should Read This

Administration, Corporate compliance, HIPAA privacy officer, HIPAA security officer, Information technology, Legal counsel

Areas of Focus

Featured Memberships & Services

HIPAA: “New Twist” in Prosecution of Illegal Drug Promotion Activities Holds Important Lesson for Providers