Open Icon Key

The Impact of a HIPAA Violation

Compliance Basics
Brandy Brimhall
in Compliance Basics
By Brandy Brimhall CPC CPCO CCCPC

Learning Lessons from Healthcare Peers

Anyone in healthcare, not living under a rock, has seen reports, news articles and headlines about HIPAA violations. We read about those who did not heed the warnings; chose not to adhere to the guidelines; or thought they were above the law. Yet another example, read recently, minded me of the old adage that begins, “Oh, what a tangled web we weave…”. This one has some interesting twists that are important and illustrate how one simple action can expand into a much larger, much more devastating issue.

HIPAA Compliance

The investigation began with the Department of Justice (DOJ) looking into alleged kickback violations by a drug company, Warner Chilcott and its parent company Allergan, PLC. A probe into Warner Chilcott examined the suspected issue of representatives of the drug company paying doctors “speaking fees.” These were viewed as a way to secure the prescription of certain drugs made by the company, and as a manipulation of the prior authorizations that resulted in payment for the prescriptions by the insurance companies.

When the DOJ cast its net over Warner Chilcott for the investigation, it had no way of knowing what it would uncover. The initial allegation was that Warner Chilcott paid kickbacks to physicians, such as dinners or fees to “speakers” for the company, in exchange for prescriptions.

The Investigation Process

As the information unfolded in the case against Warner Chilcott, the investigation expanded to include providers that were being paid by the pharmaceutical company. Out of 2,000 doctors, the DOJ dialed down on five specifically. Of the five, one eventually stood alone. Gynecologist Dr. Rita Luthra was initially charged with violations of the federal anti-kickback law. As the investigation of Luthra unfolded, these charges would be dropped and replaced with allegations of violating the HIPAA Privacy Law, witness tampering and obstruction of justice.

How would the DOJ make this jump to HIPAA? The investigation of Dr. Luthra uncovered instances where Luthra had allowed Warner Chilcott representatives and her office assistant to access patient records (PHI) without the patient’s consent. The sales representative and the assistant, “creatively” used prior authorization forms, along with the patients’ health information, to ensure that prescriptions would be covered by insurance companies for their name brand drugs. Making matters worse, during the investigation, Dr. Luthra also lied to the Health and Human Services (HHS) agents about the incidents.

Investigative Findings and Penalties

On April 30, 2018, after a lengthy investigation, Dr. Luthra was found guilty of criminal HIPAA violation and obstruction of a criminal healthcare investigation. The charge for the HIPAA violation holds a sentence of no greater than one year in prison and/or a fine of $50,000 and one year of supervised release. The charge for the obstruction of justice comes with a sentence of no more than five years in prison, three years of supervised release and a penalty of $250,000. The charge for witness tampering was dropped.

So why inform chiropractors through an article about a gynecologist? We find that DCs tend to turn a blind eye to the reach of the departments that govern compliance. HHS, DOJ, and the Office of Inspector General followed the path of evidence in this investigation. This case initially began in 2009 with one company, encompassed 2,000 providers, and concluded in 2018 with the convictions. Talk about persistent! It’s also important here to note that compliance does not single out chiropractors or any other entity in the healthcare industry. This probe began with a pharmaceutical company and captured a gynecologist. Perhaps most importantly, let us emphasize that if you are ever in a similar situation, or even involved in a simple audit, records request or any format of a review of your patient’s records, ALWAYS TELL THE TRUTH.

For years, we have been instructing providers to follow the recommendation of establishing an effective compliance program in their offices. This is critically important! It’s true that an effective compliance program wouldn’t have kept this doctor from making bad decisions. This doctor acted intentionally…but your office may be at risk unintentionally. Who knows where the initial suggestion to perpetrate this violation came from? But we wonder if an established Code of Conduct, Business Associate Agreements, and a properly trained team would have held this doctor or staff members to a higher level of ethics. Perhaps the doctor, “didn’t know what she didn’t know.” How is that possible after all the years basic HIPAA has been in place? What about your office? While a doctor may know the rules, can you be 100 % certain that every team member fully understands and properly executes HIPAA in the office? If you don’t have written policies and procedures, disciplinary guidelines or training in place, you are at risk.

An effective, properly-scaled compliance program for your office is mandatory. This guideline was not established to create more work for doctors and teams. While we recognize that it may feel that way, the intent is very different. Compliance rules were created to help providers establish a means of self-monitoring, documenting, and establishing proper safeguards through polices and procedures within their office. Not only is this intended to help you meet requirements but can be of great benefit to you. An effective compliance program will help reveal areas of risk and maybe even opportunity. A comprehensive compliance program covers HIPAA privacy, security, baseline and periodic audits of patient records and eight elements outlined by the Office of Inspector General. The initial steps of establishing this program can be daunting, but if your office does not have an effective compliance program, you may not know your level of risk. KMC University members have access to everything necessary to bring your office into compliance, and help you sleep at night. Not a member yet? Click here to arrange a no-obligation demonstration of the most comprehensive online training available in the profession today.

Close