Criminal HIPAA charges are not handed down frequently, but when an individual “knowingly” and inappropriately obtains and discloses a patient’s protected health information (PHI), they could face up to $50,000 in fines and up to one year in prison, according to 42 U.S.C. § 1320d-6. Additionally, if found guilty of obtaining or disclosing the information with the intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or with malicious intent the penalties can increase up to $250,000 and 10 years in prison.
According to a October 20, 2022 Department of Justice press release, a former compounding pharmacy sales representative located in New Jersey is facing criminal HIPAA charges for obtaining unauthorized access to PHI with the intent to personally profit. The sales rep promoted compounded prescriptions and other medications which were subsequently filled by a Louisiana pharmacy. The sales rep and his co-conspirators knew which plans would reimburse significantly for certain compounded medications and the sales rep then recruited patients with that specific insurance. To do this, the sales rep gained access to a medical clinic where the doctor allowed him to have significant access to patient medical records. Since the sales representative was not an employee of the doctor’s office, he was not authorized to access the information without first obtaining proper release. The sales rep would then sift through medical records to identify patients with the sought-after insurance plan. The patient files would be tagged so the doctor could easily identify patients with the specific insurance plan so he knew whom he should prescribe the compounds. On occasion, the sales representative would even join the doctor and patient in the exam room as if he were employed by the medical office, which he was not.
Patients were targeted based on information illegally gained from within secure patient records, then they were prescribed and dispensed medically unnecessary compounded medications all as a result of this scheme.
Training staff to appropriately handle PHI, and discussing the consequences of mishandling PHI, is critical to preventing a breach and other unauthorized access to protected information—malicious or not. If you have not already taken advantage of the PAAS National® Fraud, Waste, and Abuse and HIPAA Compliance Program, now is a great time to reach out to a PAAS staff member to learn about the best program available to independent pharmacies. Ring in the New Year with confidence knowing that you have a method to provide your staff with comprehensive, community pharmacy focused HIPAA training.