Most cases of Health Insurance Portability and Accountability Act (HIPAA) violations result in civil penalties, ranging anywhere from $100 to $50,000 per violation, along with corrective action. There are times, however, when a covered entity or business associate may face criminal penalties from such violations.
According to the Department of Health and Human Services (HHS), 91,000 complaints of HIPAA violations were made from between 2003 and 2013. Of those 91,000 complaints, 22,000 results in civil enforcement actions while 521 led to referrals for criminal action.
One of the most recent cases of criminal charges associated with HIPAA violations involved three managers from a pharmaceutical firm. The managers, Landon Eckles, Timothy Garcia, and Jeff Podolsky, were sentenced by District Court judges for violating HIPAA and defrauding patients.
In a press release, the District of Massachusetts Attorney's Office said the three managers committed healthcare fraud to increase sales of osteoporosis drugs. Some of the managers have also been accused of accessing patients' Protected Health Information (PHI) without the proper authorization.
“In 2011, Atelvia®, an osteoporosis drug, was launched, but it was not covered by many insurance companies primarily because a generic alternative was available, the statement explained. “Therefore, insurance companies required physician approval, known as a prior authorization, before covering Atelvia®. In order to drive sales, Eckles directed certain sales representatives to fill out Atelvia® prior authorizations even if physicians refused to do so,” explained the District of Massachusetts Attorney's Office.
Exckles received a sentence of one-year probation and a $10,000 fine. Garcia received a sentence of eight months of home confinement and a $21,500. And Podolsy received a sentence of eight months home confinement and a fine of $38,237.
Earlier this year, the Office for Civil Rights (OCR) explained in a separate, non-related settlement that covered entities must maintain accurate and up-to-date policies for obtaining patients' permission to post their personal information. Covered entities and business associates with access and/or share a patient's PHI without the proper authorization could be subject to fines and/or other penalties. While it's doubtful that any criminal charges will occur – not unless there's willful intent – there are cases when criminal charges happen, such as the example mentioned above.
The bottom line is that covered entities need to spend a little more attention on their policies and procedures, ensuring they abide by HIPAA and its Security Rule, Privacy Rule and Breach Notification Rule.