A former physician with medical practices in New Jersey, New York, and Florida admitted wrongfully disclosing patients’ protected health information (PHI). He pleaded guilty to conspiring to wrongfully disclose patients’ individually identifiable health information to a pharmaceutical sales representative in violation of the criminal provisions of the Health Insurance Portability and Accountability Act (HIPAA).
The pharmaceutical sales representative promoted compound prescription medications and other medications. As an outside pharmaceutical sales representative not associated with the physician’s medical practices, he was not permitted to access and obtain the individually identifiable health information and PHI of the patients. As part of the scheme, the physician permitted the sales representative to have significant access to his office, medical files, and patient information.
The sales representative was also permitted to be present in the physician’s office both during and outside normal business hours and to have access to areas of the office restricted to staff, including areas with patient files and office computers. The physician allowed him to look up patients’ information in files and on office computers to determine if patients had insurance that covered the compound medications. The sales representative then would earmark files in advance so that the physician knew to whom to prescribe the medications.
The physician also brought the sales representative into patient exam rooms during appointments and gave patients the impression that he was employed by or affiliated with the medical practice. This facilitated and caused the disclosure of PHI to the sales representative, who would then use the confidential information to fill out prescription forms that the physician would authorize. The sales representative received commission on those prescriptions.
The physician was previously charged in an indictment alongside the sales representative with conspiring to violate HIPAA and other offenses. He faces a maximum penalty of one year in prison and a $50,000 fine.
Issue:
The HIPAA Privacy Rule established national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as protected health information (PHI)) and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule allows covered providers and health plans to disclose PHI to “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose PHI to an entity in its role as a business associate only to help the covered entity carry out its healthcare functions — not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
- Train all staff on HIPAA, PHI, and Privacy, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, Privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.
