Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Failure to Protect Patient Data is a Crime

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

All employees who handle patient information must be appropriately trained to HIPAA.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is now in its third decade of law in the United States. The reason the doctor decided to write a brief article about the law is that its applicability in healthcare is far-reaching, including medtech (pharma, biotech and medical devices). During Dr. D’s weekly voyage through the FDA’s Compliance, Enforcement, and Criminal Investigation pages, the doctor came across a Department of Justice (DOJ) press release announcing the results of criminal proceedings against a doctor (FYI – not old Dr. D) for violating patient confidentiality protected by HIPAA. A willful violation of HIPAA can and does result in criminal prosecution of violators. This includes the Chief Jailable Officers (CJO) if they or their organizations violate the Standards for Privacy of Individually Identifiable Health Information, a.k.a. the PRIVACY RULE! A CJO on the receiving end of a criminal indictment, for violating the “privacy rule,” may end up crapulous (look-it-up), reeking of too much booze when the gavel falls and the fitting for a new orange jumpsuit is forthcoming. Enjoy!

U. S. Department of Justice Press Release Excerpt

“BOSTON – A Springfield gynecologist was sentenced today in connection with allowing a pharmaceutical sales representative to access patient records and lying to federal investigators.

Rita Luthra, M.D., 67, of Longmeadow, was sentenced by U.S. District Court Judge Mark G. Mastroianni to one year of probation. In April 2018, Luthra was convicted by a federal jury of one count of violation of the Health Information Portability and Accountability Act and one count of obstruction of a criminal health care investigation.”

Common Sense for Handling Patient Data

Not wanting to state the obvious but obliged to do so, protect patient data with your life and if not your life at all costs (reasonable of course). Seriously, one’s personal freedom and wallet or purse is placed in great jeopardy if one decides to willfully violate HIPAA. Dr. Luthra found out the hard way that allowing a pharmaceutical company sales’ rep to have a looksee at her patient’s files and the information protected by the Act, was not a wise decision. Providing false information to federal investigators, after the fact, was not the smartest decision either. In any event, she was lucky in that she avoided having to be fitted for that stylish orange jumpsuit and the matching shiny bracelets.

As medtech professionals it is incumbent upon us to protect patient confidentiality at all costs. For individuals that work with patient complaints, complaint investigations, adverse event reviews and reporting, or other post-market surveillance information and data, there is always a chance that you will inadvertently come across patient information protected by HIPAA. As such, it really does need to remain secure. Complaint files and the results of investigations should be treated as sensitive data and protected accordingly. Can you say locked cabinets or cabinet safes? In fact, all employees who handle or may handle patient information need to be appropriately trained to HIPAA. Depending upon where an establishment is located, HIPAA training is mandated by law. Regardless, effective training is the best way to drive compliance, while protecting the integrity of an establishment.

If an establishment is manufacturing medical devices, systems or other types of capital equipment that acquire patient information in support of providing therapy to patients and/or the results of treatments provided, these devices and systems are required to be protected from unauthorized access and hacks. Cybersecurity shall be taken seriously. For example, password protection is a good place to start, in addition to all of the other nice software tools needed for effective cybersecurity.

If prison does not scare the readers, maybe the fiscal penalties will. Unknowing violations can result in a measly $100 for each violation with a maximum fine of $25,000 for repeat violations. The annual maximum can be as high as $1.5 million. Reasonable cause violations start at $1,000 for each violation with a maximum of $100,000 for repeat violations. Willful violations (corrected within the required time frame) start at $10,000 for each violation with a maximum of $250,000 for repeat violations; but wait, there is more. Willful violations (not corrected within the allocated time frame) start at $50,000 for each violation. The moral of the story is simple, do not violate HIPAA.


For this week’s guidance, the doctor will leave the readers with just two takeaways. One: Protect the privacy of patient data at all costs. HIPAA mandates through the privacy rule that patient data be protected. It is up to all medtech professionals to ensure we support compliance with the privacy rule. Failure to protect patient information can result in criminal prosecution if willful intent is proven to be the case. Two: There is nothing like training to reinforce the importance of compliance with HIPAA. Investing in training is always going to be a worthwhile investment. In fact, training can potentially save an establishment a bucket full of money through prevention. In closing, thank you again for joining Dr. D, and I hope you found value (and some humor) in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2017). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (September 2018). Inspections, Compliance, Enforcement, and Criminal Investigations. “September 19, 2018: Springfield Doctor Sentenced for Illegally Sharing Patient Medical Files. Accessed October 18, 2018. Retrieved from https://www.fda.gov/ICECI/CriminalInvestigations/ucm621125.htm
  5. HIPAA violations & enforcement. (October 2018). American Medical Association Website.
    Accessed October 18, 2018. Retrieved from https://www.ama-assn.org/practice-management/hipaa-violations-enforcement

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International