Eduardo Montaña, M.D., had never encountered a representative from Aegerion Pharmaceuticals before a woman walked into the pediatric cardiologist’s Atlanta-area practice one day in February 2013. After she met his office staff, Montaña gave approval for her to come and talk to him.

Over the next two months, Montaña, the rep and another person from Aegerion worked together to identify nearly 300 patients who might be candidates for Juxtapid, an orphan drug approved that previous December for a rare type of inherited high cholesterol in adults. In a decision he now calls a “mistake” and an “extreme outlier,” Montaña shared protected health information (PHI) with the woman, giving her access to his electronic medical records (EMR) system.

It led to Montaña being charged with a rare criminal violation of HIPAA, albeit a misdemeanor, for which he was sentenced to six months’ probation last month. He pled guilty in February 2018. Montaña, through his attorney, says his is a “cautionary tale.”

Montaña is “disappointed and upset that this ever happened and wants to make sure that no one else makes the same mistake,” T.C. Spencer Pryor, a partner with Alston & Bird LLP, told Report on Patient Privacy, RMC’s sister publication. Pryor says Montaña didn’t learn he was under investigation until three years after his dealings with Aegerion.