Most violations of the Health Information Portability and Accountability Act (HIPAA) are addressed through administrative enforcement action. But, in some circumstances of improper conduct affecting the privacy or security of patient information, the federal government may criminally punish the parties involved.
Two recent prosecutions for criminal conspiracy to violate HIPAA are a stark reminder of the legal boundaries that HIPAA imposes on the sharing of patient information between a health care provider and a pharmaceutical company.
In October of 2022, federal prosecutors in New Jersey announced that a physician with medical practices in New Jersey, New York, and Florida and a pharmaceutical sales representative each pleaded guilty to conspiring to wrongfully disclose and obtain patient information in violation of HIPAA’s criminal prohibitions. According to charges by the US Department of Justice (DOJ) in a superseding information, the unlawful information-sharing aided the submission of false and fraudulent insurance claims for compound prescription medications that the Sales Rep, who also pleaded guilty to conspiracy to commit health care fraud, arranged in exchange for commission payments.
As part of the conspiracy to violate HIPAA, the Sales Rep had virtually unfettered access to patient information at the Physician’s medical practice, the DOJ alleged. In staff-restricted areas of the Physician’s office during and outside normal business hours, the Sales Rep pored through patient schedules and charts to flag patients with insurance coverage for the marketed compound medications. On some occasions, the Physician allowed the Sales Rep to be present during appointments with patients, without revealing that the Sales Rep did not work for the practice. On others, the Sales Rep met with patients by himself and obtained information he used to fill out prescriptions that the Physician later authorized. The DOJ alleged that, in all of these instances in which the Sales Rep gained access to patient information, the Physician lacked patient authorization or another lawful basis under HIPAA to disclose the information.
For health care providers and pharmaceutical manufacturers alike, the outcome of these cases raises important HIPAA compliance questions. When, if ever, may a health care provider disclose patient information to a pharmaceutical manufacturer and its sales agents? And in what circumstances does an unauthorized disclosure of patient information rise to the level of a crime?
How Pharmaceutical Manufacturers Fit Within the HIPAA Framework
HIPAA regulates the use and disclosure of “protected health information” (PHI). Its regulatory requirements apply to health care providers, health plans, and certain other parties that meet the criteria of a “covered entity.” In general, a covered entity may use or disclose PHI only as HIPAA expressly requires or permits. These restrictions are intended to protect the privacy and security of patients’ information.
In contrast to physician practices, hospitals, and other health care providers that prescribe or purchase pharmaceutical products, the manufacturers of those products typically are not covered entities. Thus, pharmaceutical representatives do not generate or require access to PHI while performing many of their job functions. However, HIPAA does contemplate some situations when a pharmaceutical manufacturer and its personnel may have a legitimate need for PHI from a covered entity.
For example, under what is referred to as HIPAA’s “public health provision” (codified at 45 CFR § 164.512(b)), a covered entity may disclose PHI to a pharmaceutical manufacturer for the purpose of “activities related to the quality, safety or effectiveness” of a product or activity regulated by the US Food and Drug Administration (FDA). Such PHI-sharing activities are permitted to support collection or reporting of adverse events, product recalls, or post-marketing surveillance, among other purposes.
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA through the imposition of administrative sanctions, explained in agency guidance that HIPAA’s public health provision is “intended to facilitate the flow of information that is essential to the FDA’s public health mission.” This does not, however, permit a covered entity to disclose PHI “to a manufacturer for the manufacturer’s commercial purposes, or for any other non-public health purpose.” For example, OCR noted that a covered entity may not “provide a drug manufacturer with a list of persons who prefer a different flavored cough syrup over the flavor of the manufacturer’s product.”
When a HIPAA Violation Becomes a Crime
An unauthorized use or disclosure of PHI may prompt administrative enforcement action by OCR against the covered entity. In the majority of cases of HIPAA noncompliance, OCR will first attempt informal resolution by obtaining voluntary compliance through corrective action. Such corrective action may take the form of a resolution agreement, which may require payment of a settlement amount and implementation of a corrective action plan. If OCR and a party do not mutually agree to a resolution agreement, or if a party violates the terms of a resolution agreement, OCR may impose a civil monetary penalty.
If OCR receives a complaint or learns of another event that implicates the criminal provision of HIPAA, OCR may refer the matter to DOJ for investigation. Under 42 USC § 1320d-6, a person faces imprisonment for up to one year and/or a fine of up to $50,000 for knowingly and in violation of HIPAA: (1) using or causing to be used a unique health identifier; (2) obtaining individually identifiable health information (IIHI, which is a component of the definition of PHI) relating to an individual; or (3) disclosing IIHI to another person. Additional penalties apply if a person commits the offense under false pretenses or with intent to sell, transfer, or use IIHI for commercial advantage, personal gain, or malicious harm.
In 2005, the DOJ Office of Legal Counsel, which provides legal advice to the president and federal executive agencies, issued a legal opinion to HHS interpreting the scope of DOJ’s criminal HIPAA enforcement authority. In that memo, DOJ concluded that only covered entities, along with certain directors, officers, and employees of those entities, are prosecutable for a statutory violation. Other parties not directly liable under the statute, however, may still be prosecuted for aiding and abetting or participating in a conspiracy with a covered entity to commit a criminal HIPAA violation. Thus, as the recent conviction of the Sales Rep demonstrates, the representative of a pharmaceutical manufacturer may be punished for participating in a criminal HIPAA conspiracy, even if the manufacturer is not a covered entity.
Patient Information-Sharing Between Physician and Sales Rep Was Part of Larger Fraud Scheme Involving Compound Drug Claims
According to DOJ’s superseding information against the Sales Rep, the criminal HIPAA conspiracy between the Physician and Sales Rep facilitated another criminal fraud conspiracy between the Sales Rep and several executives from a pharmacy in Louisiana to profit off prescriptions for compound medications that the Sales Rep promoted and the pharmacy dispensed. To this end, the Sales Rep generated prescriptions from the Physician for patients whom the Rep earmarked or recruited, using patient information from the Physician’s medical practice, as having prescription drug insurance benefits administered by a pharmacy benefits manager that would pay for those medications. For each prescription the Sales Rep arranged, the pharmacy paid him a portion of the payment it collected.
Both the Physician and Sales Rep could be imprisoned for up to one year and fined up to $50,000 for the criminal HIPAA conspiracy to which they pleaded guilty. Additionally, the Sales Rep could be imprisoned for up to 10 years and fined up to $250,000 on the health care fraud conspiracy count. Sentencing for both defendants is scheduled to occur in February of 2023.
Key Takeaways
The prosecutions of the Physician and Sales Rep follow a recent pattern of similar cases in which DOJ charged defendants for offenses involving unlawful disclosures of patient information to pharmaceutical sales agents. These enforcement actions should alert covered entities and their workforce members to the risks of HIPAA’s criminal penalties. Although physician practices and other covered entities may have legitimate, permissible reasons for disclosing PHI to pharmaceutical manufacturers and their representatives, they should exercise caution when engaging in such information-sharing practices.
As the Sales Rep’s prosecution underscores, pharmaceutical manufacturers should be mindful of additional fraud and abuse risks that may arise from the unauthorized access and use of PHI, particularly where a company or salesperson has a strong commercial incentive to acquire PHI. Indeed, many of the alleged activities that the Sales Rep undertook involving access to PHI, such as reviewing records to confirm insurance coverage for the marketed products, are activities that the HHS Office of Inspector General (OIG) warned in its Compliance Program Guidance for Pharmaceutical Manufacturers could implicate the Anti-Kickback Statute.
To minimize these regulatory risks, HIPAA covered entities that allow visits to their facilities by pharmaceutical sales reps should develop staff training programs and policies to ensure those visits are conducted properly. Items to address may include, for example, authorized locations where sales reps may be present, interactions with patients, and safeguards for PHI. Likewise, manufacturers should maintain similar programs and policies to govern the conduct of their representatives when interfacing with health care providers, drawing from OIG’s compliance program guidance and other industry compliance resources, such as the PhRMA Code on Interactions with Health Care Professionals. Even if they are not covered entities themselves, many pharmaceutical manufacturers may benefit from incorporating HIPAA training and privacy policies into their compliance programs.