U.S. v. Luthra, 2018 WL 1783799 (D. Mass. 2018)
A federal trial court has refused to dismiss criminal charges against a physician accused of “knowingly” disclosing patients’ protected health information (PHI) in violation of HIPAA’s privacy rule. The physician, frustrated by insurers’ repeated coverage denials of a brand-name drug for which cheaper generic alternatives were readily available, enlisted the help of a sales representative of the brand-name drug manufacturer to complete prior authorization forms for submission to insurers. Patients’ PHI was disclosed to the sales representative as part of this effort, without patients’ authorizations. The federal government brought criminal charges against the physician, alleging that she knowingly disclosed PHI without proper authorization.
The court denied the physician’s motion to dismiss the indictment, rejecting arguments that the disclosures were permitted for treatment, payment, or health care operations. The court ruled that the physician failed to demonstrate how disclosure of PHI to a sales representative related to “treatment” as defined in the HIPAA privacy rule. Also, the physician failed to explain how the disclosed PHI related to development or improvement of payment methods for the drug. And the court rejected contentions that the drug manufacturer was itself a “health care provider” seeking payment. With regard to proving the physician “knowingly” made the disclosures in violation of HIPAA, the court noted the physician’s alleged misrepresentations to investigators when she denied making the disclosures and her direction to her medical assistant to repeat the misrepresentations—acknowledging that there is a “HIPAA law” and warning her assistant of “hefty fines” for both of them if people found out they had shared medical records.
EBIA Comment: The court’s decision comes at an early stage of the proceedings, and the physician will have an opportunity to develop facts supporting her defense at trial—but the fact that the criminal case has proceeded this far should give pause to anyone handling PHI. The physician’s request for help from the drug manufacturer’s representative is perhaps understandable, but she would have been well-advised to ask for patient authorization first, or to use de-identified information when seeking assistance since de-identified information falls outside the HIPAA privacy rule. Unfortunately, by allegedly trying to cover up the disclosures, the physician compounded her misjudgment and may have crossed the line into criminal behavior. For more information, see HIPAA’s Portability, Privacy & Security manual at Sections XX.F (“Criminal Penalties”), XXII.A (“What Information Is Protected?”), and XXVI.B (“Uses and Disclosures for Treatment, Payment, and Health Care Operations”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy and Security” (recorded 1/17/18).
Contributing Editors: EBIA Staff.