A former pharmaceutical district manager faces sentencing in July after pleading guilty to criminal HIPAA violations for his part in a complex fraud scheme involving drug maker Warner Chilcott.
See Also: Proactive Malware Hunting
A U.S. District Court in Boston on April 15 ordered Warner Chilcott to pay $125 million to resolve criminal and civil liability arising from the illegal promotion of various drugs, according to the U.S. Department of Justice.
The fraud scheme involved illegal marketing of pharmaceuticals and the payment of kickbacks to physicians to prescribe the company's products, prosecutors say. The drug maker submitted "false, inaccurate, or misleading prior authorization requests to federal healthcare programs for the osteoporosis medications Atelvia and Actonel," according to the DoJ.
The case also involved several individual prosecutions of former Warner Chilcott employees. Among those prosecuted was former district manager, Landon Eckles, who earlier pleaded guilty to wrongful disclosure of individual identifiable health information, a criminal violation of HIPAA.
Legal experts say the case against Eckles is one of only a handful of criminal HIPAA violation cases that have been prosecuted. "They are relatively rare, but a few cases pop up every few years," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
HIPAA Violation Details
In a statement about Eckles' guilty plea in the case, prosecutors noted that from 2007 to 2012, he worked for Warner Chilcott and served as a district manager in the company's osteoporosis division in a mid-Atlantic district.
The drug Atelvia "had poor insurance coverage in Eckles's district when it was launched in 2011, and many insurance companies required a prior authorization before covering Atelvia," the DoJ says. "A prior authorization contains protected health information, including biographical data and information concerning a patient's medical condition. Certain insurance companies require prior authorizations signed by a patient's doctor in order to overcome restrictions that favor less expensive prescription drugs."
Eckles told certain sales representatives that if physicians refused to fill out Atelvia prior authorizations, they should should fill them out themselves, the DoJ alleged.
Several sales representatives, along with Eckles himself, filled out Atelvia prior authorizations, "and by doing so, accessed patients' protected health information in violation of the HIPAA law and regulations that safeguard the privacy of confidential health records," according to the DoJ.
Prosecutors say Eckles and a sales representative also accessed a number of patients' medical charts and placed Atelvia brochures in the charts so that physicians would be reminded to prescribe it. "Eckles bragged about this tactic to his sales representatives, stating, 'I guarantee you that this is going to drive business,' and encouraged his sales representatives to follow suit. In part, as a result of his scheme, Eckles received a bonus of approximately $60,000 in 2011," DoJ says.
HIPAA Sentencing
Eckles' sentencing date has been moved at least twice, and he is now scheduled to be sentenced on July 26, according to court documents. He faces a sentence of no greater than 10 years in prison, three years of supervised release, a fine of $250,000 and exclusion from the Medicare program.
An attorney representing Eckles declined to comment on the case.
Warner Chilcott is now part of Dublin, Ireland-based pharmaceutical company Allergan. An Allergan spokesman also declined to comment on the case.
Egregious Violations
While criminal HIPAA violation cases are rare, prosecutors pursue these cases when they involve particularly egregious behavior, legal experts say.
"There have been a variety of HIPAA criminal penalties in situations where individuals have done things that clearly have been wrong," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "We've seen individuals go into records and use them to commit identity theft. We've seen hospital workers sell records to others who use them to commit fraud. We've seen a variety of 'celebrity' cases where individuals access celebrity medical records and then sell information to the media."
Nahra stresses that the HIPAA criminal cases all have involved "egregious wrongdoing, not misinterpretations of the rules or minor slips."
What sets the Eckles case apart from most other criminal HIPAA violation cases, Nahra says, is that it's part of a "much bigger overall fraud case."
Attorney Greene says he expects the prosecution of criminal HIPAA cases will continue to be relatively infrequent.
"We will continue to see a few criminal convictions every once in a while, often surrounding fraudulent conduct such as identity theft schemes or larger criminal schemes," he says. "It is rarer to see a criminal case that solely surrounds HIPAA, such as a snooping case or a more straightforward impermissible disclosure case. Federal prosecutors have limited resources, and bringing HIPAA prosecutions for straightforward privacy violations is likely an activity that they cannot focus on."
Other Cases
Another recent case involving prosecution for criminal HIPAA violations involved a former East Texas hospital worker who pleaded guilty in a case involving illegally obtaining protected health information with the intent to use it for personal gain. Joshua Hippler was sentenced in February 2015 to 18 months in prison after pleading guilty in August 2014 to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case).
Back in October 2013, Denetria Barnes, a former nursing assistant at an unidentified Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information. And in April 2013, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
Aside from those cases, most other defendants sentenced for criminal HIPAA violations have generally gotten lighter sentences.
For example, in November 2014, Christopher R. Lykes Jr., a former South Carolina state employee, was sentenced to three years of probation, plus community service, after he sent personal information about more than 228,000 Medicaid recipients to his personal email account. Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy (see Sentencing in S.C. Medicaid Breach Case).
And in a 2010 case, former UCLA Healthcare System surgeon Huping Zhou, M.D. was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. Zhou was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California (see HIPAA Violation Leads to Prison Term).