Don't have a TCI SuperCoder account yet? Become a Member >>

Part B Insider (Multispecialty) Coding Alert

Physician Notes:

Expect Fines and Possibly Prison for Criminal HIPAA Violations, DOJ Says

Plus: Review your GDPR smarts before the May 25 release date.

Most HIPAA breaches concern the accidental release of patients' health records. In fact, the impermissible disclosure of protected health information (PHI) is uncommon - as are the violations that arise from the action. Unfortunately, one Massachusetts gynecologist learned the hard way that there will be consequences for this type of unlawful data sharing.

Physician, Rita Luthra, MD, who practices in Springfield, Massachusetts, was convicted of violating HIPAA by allowing a Warner Chilcott sales representative to illegally access her patients' information, noted a Department of Justice (DOJ) release. The clinician, also, lied to the feds when interviewed about her ties to the pharmaceutical giant. The crimes occurred over a 10-month period between January 2011 and November 2011, the release suggested.

Remember: "The charge of violation of the Health Information Portability and Accountability Act [HIPAA] provides for a sentence of no greater than one year in prison and/or a fine of $50,000 and one year of supervised release," reminded the DOJ report. "The charge of obstructing a criminal health care investigation provides for a sentence of no greater than five years in prison, three years of supervised release and a fine of $250,000."

The case will be prosecuted by the HHS Office of Inspector General with sentencing to follow.

Access the DOJ release at

In other news...

Part B providers that utilize medical research may want to study the European Union's (EU) international privacy guidelines before the General Data Protection Regulation (GDPR) goes live on May 25, 2018.

Why: Stiff penalties may ensue for researchers and providers who don't follow the GDPR guidelines, which are significantly more restrictive about safeguarding patients' data than HIPAA, suggests the HHS Secretary's Advisory Committee on Human Research Protections (SACHRP) guidance. "A U.S.-based clinical study could be subject to the GDPR if it uses digital technology, such as wearables, mobile phones, or other personal electronic devices, to track subjects' heart rate, blood pressure, levels of physical activity, or other data points," explains the SACHRP.

Warning: And even though U.S.-led research may only use American patients, they may still fall under the GDPR. For example, if those subjects travel abroad to EU nations with their mobile devices and wearables, transferring data back to the U.S., that information may fall under the jurisdiction of the EU and therefore privy to GDPR protocols.

Resource: For a closer look at the HHS Office of Human Research Protections guidance, visit