HIPAA Regulatory Alert: Ruling on criminal prosecution under HIPAA raises furor

Critics say legal opinion will allow those who abuse privacy information to escape prosecution

A Department of Justice legal opinion, issued at the request of the Department of Health and Human Services (HHS), stated that only covered entities and those people rendered accountable by general principles of corporate criminal liability may be prosecuted under criminal enforcement provisions of the HIPAA Administrative Simplification section. The opinion has been attacked by privacy advocates, who say it will allow people who misuse privacy information to escape prosecution.

HHS had asked whether the only people who may be directly liable are those to whom the substantive requirements of the subsection apply — health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors — or whether the law may also render directly liable other people, particularly those who obtain protected health information in a manner that causes the person to whom the substantive requirements of the subtitle apply to release the information in violation of the law.

Who is liable?

In the opinion he wrote for HHS, Steven Bradbury, principal deputy assistant attorney general, said the department had concluded that health plans, health care clearinghouses, those health care providers specified in the law, and Medicare prescription drug sponsors may be prosecuted for violations of Section 1320d-6.

In addition, he said, depending on the facts of a given case, certain directors, officers, and employees of these entities may be liable directly under Section 1320d-6 in accordance with the general principles of corporate criminal liability, as those principles are developed in the course of a particular prosecution. “Other persons may not be liable under this provision,” Bradbury wrote. “The liability of persons for conduct that may not be prosecuted directly under Section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”

While Bradbury did not go into detail on the principles of corporate criminal liability, he noted that, in general, the conduct of an entity’s agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf. “In addition, we recognize that, at least in limited circumstances, the criminal liability of the entity has been attributed to individuals in managerial roles, including, at times, to individuals with no direct involvement in the offense,” he wrote. “Consistent with these general principles, it may be that such individuals in particular cases may be prosecuted directly under Section 1320d-6,” Bradbury continued.

Other conduct that may not be prosecuted under Section 1320d-6 directly may be prosecuted according to principles either of aiding and abetting liability or of criminal liability, he wrote.

Attorneys surprised at HHS direction change

The ruling limiting prosecution came as a surprise and a disappointment to many privacy advocates and attorneys.

Peter Swires, a law professor at The Ohio State University in Columbus who was chief counselor for privacy in the Office of Management and Budget in the Clinton administration, tells HIPAA Regulatory Alert that this opinion is helping the Bush administration turn the medical privacy law into little more than a voluntary standard. “Unless the administration pulls back from its current position, it will be up to Congress to protect privacy and say that obviously criminal behavior should be punished by criminal law,” he says.

Swires says he has heard that the department pushed hard for this ruling, much to the consternation of some Justice Department attorneys who don’t agree with it and are looking for other ways to prosecute those who misuse privacy data.

According to Swires, the HHS Office of Civil Rights (OCR), which has been given the job of civil enforcement of HIPAA, has done little to address the more than 13,000 HIPAA privacy complaints it has received in the past two years. OCR has yet to bring a single enforcement action, he says, and that lack of enforcement sends a signal to covered entities “that HHS will not act even against flagrant violations of the privacy rule.”

With no civil enforcement actions, the only success has been on the criminal front, Swires says, and that involves just one case — a hospital lab phlebotomist who accessed the records of a patient with a terminal cancer condition, got credit cards in the patient’s name, and ran up more than $9,000 in fraudulent charges, mostly for video games.

Under a plea agreement, the lab technician was sentenced to 16 months in jail. At the time the technician was prosecuted, the Department of Justice said the case “should serve as a reminder that misuse of patient information may result in criminal prosecution,” but Swires says it now is possible he will have to be released because under the new opinion he could not be criminally prosecuted because he is not a covered entity (although it is possible he could be prosecuted for identity theft).

Swires says these are among the reasons why the opinion is bad law:

1. The statute applies to “a person who knowingly and in violation of this part. . . .” While the opinion defines “person” only as a covered entity, Swires says the natural reading would include hospital employees who abuse medical records.

2. The criminal statute includes jail time, and real people are sent to jail, not hospitals and health insurance companies.

3. The attorneys who wrote the opinion overlook the fact that Congress made it a crime for any person to illegally obtain health information and insist that Congress was not concerned about criminal activities by outsiders who steal medical records or by insiders who sell medical records or use them for their own advantage, but rather Congress only wanted to target covered entities.

Robert Gellman, a privacy consultant, tells HIPAA Regulatory Alert that problems with misuse of medical records are much more likely to involve lower-level staff people in health care organizations who have access to the records than the physicians who are covered. “Whether there are other criminal penalties that can be applied to those who have been let off the hook by the opinion remains to be seen,” he continues. Gellman says one reason the department might have pushed for this opinion is that it will mean less work to be done and the agency already has shown in civil enforcement that it doesn’t want to do much work. “It appears that OCR has little interest in HIPAA,” he adds.

Greatest impact may be in the future

In the short term, the opinion may not have much of an impact because there already is very little enforcement, Gellman points out. In the longer term, it may affect President Bush’s initiative for more electronic health records and a national health information technology effort, he says. “HIPAA came about initially because Congress wanted more electronic health transactions,” recalls Gellman. “But if more people are able to retrieve more medical information, how can you justify the technology and build public support without a policy to protect privacy?”

Emily Stewart, Health Privacy Project policy analyst, tells HIPAA Regulatory Alert the opinion came as a surprise and is seen as a “real blow to consumers in terms of the kinds of recourse they have when their privacy is invaded. It severely weakens the force of a law that is already weak in enforcement.” She says her group has a consumer coalition on health privacy and has been talking to the other members about possible steps to strengthen privacy protections. “We find it very ironic that the Bush administration continues to push for a national health information network without providing good safeguards to protect privacy of health information,” Stewart says.

HHS also had asked for an explanation of the element in the criminal enforcement section that talks about enforcement against those who knowingly use or cause to be used a unique health identifier, obtain individually identifiable health information relating to an individual, or disclose individually identifiable health information to another person.

The question from HHS was whether the provision requires only proof of knowledge of the facts that constitute the offense or whether it also requires proof of knowledge that the conduct was contrary to the statute or regulations. The Department of Justice said it had determined that the reference was only to knowledge of the facts constituting an offense.

“A plain reading of the text indicates that a person need not know that commission of an act described in [the subsections] violates the law in order to satisfy the ‘knowingly’ element of the offense,” Mr. Bradbury wrote. “Section 1320d-6 makes the requirements that the act be done ‘knowingly’ and that it be done ‘in violation of this part’ two distinct requirements. . . . Accordingly, to incur criminal liability, a defendant need have knowledge only of those facts that constitute the offense.”