Government
HIPAA memo could affect doctors' criminal liability
■ Privacy experts say a new Justice Dept. opinion indicates that criminal prosecutions of HIPAA violations will target covered entities but not others.
By Amy Snow Landa — Posted July 18, 2005
- WITH THIS STORY:
- » External links
- » Related content
A memo the Justice Dept. recently issued could make some physicians more susceptible to criminal prosecution under the federal medical privacy law and others less so, health lawyers and privacy experts say.
Released publicly on June 9, the memo is the first Justice Dept. statement to address criminal enforcement of patient privacy protections under the Health Insurance Portability and Accountability Act of 1996.
According to the opinion, HIPAA's criminal enforcement provision applies directly to "covered entities," which include physicians and other health professionals specified in the statute, health plans, health care clearinghouses and Medicare prescription drug card sponsors.
"In addition," the memo states, "depending on the facts of a given case, certain directors, officers, and employees of these entities may be directly liable." But the memo adds, "Other persons may not be directly liable under this provision."
That wording could offer physicians an important avenue for avoiding criminal liability under HIPAA, said Sarah Coyne, a partner at the law firm Quarles & Brady LLP in Madison, Wis., and a member of its health law group.
Whether an individual physician is a covered entity "wasn't all that important before," said Coyne, who represents doctors on regulatory compliance issues. "But it is now, in light of this opinion."
In many cases, there is no question as to whether a particular physician is a covered entity or not, Coyne said. For example, a physician with his or her own practice who submits electronic transactions is clearly a covered entity, whereas a physician who works only on paper clearly is not.
"But then there is this whole fuzzy middle ground, and it's never been crystal clear whether the typical physician who is employed by a group or hospital is a covered entity," Coyne said. "This opinion gives physicians an incentive to argue that they're not covered entities, but rather employees of covered entities."
Other implications
Physicians also need to be aware that the memo actually makes it easier for prosecutors to bring charges against those who are, in fact, covered entities, said Alan Goldberg, a partner at Goulston & Storrs in Washington, D.C., and adjunct professor of law at the University of Maryland School of Law and Suffolk University Law School, Boston.
Under HIPAA, criminal penalties apply to those who "knowingly" misuse other people's protected health data. In clarifying the meaning of the word "knowingly" in this context, the memo states that it requires proof only that the alleged perpetrator knew of the facts of the offense. It does not require proof the person knew what he or she was doing violated HIPAA.
In other words, the perpetrator "need not have an understanding of what the law means or what the law says" to be tried and convicted under HIPAA, Goldberg said. No one can claim innocence based on ignorance.
Perhaps the most controversial aspect of the Justice Dept. memo is that it indicates that most health care workers -- those who are not covered entities -- are not criminally liable for the misuse of another person's protected health information, at least not under HIPAA.
The opinion appears to undermine the only criminal conviction that federal prosecutors have won, or yet attempted, using HIPAA.
Last year in Seattle, the U.S. Attorney's Office used HIPAA to bring charges against a hospital lab technician who stole personal information from a cancer patient. The lab tech pleaded guilty in August and was sentenced to 16 months in prison.
Under the Justice Dept.'s recent interpretation of the statute, HIPAA no longer could be used in a case like that, said Robert Gellman, a privacy and information policy consultant in Washington, D.C.
In that regard, the Justice Dept. opinion clearly violates congressional intent, said William Braithwaite, MD, PhD, who wrote the HIPAA privacy language when he was a Senate staff member in 1994 and later served as senior adviser for health information policy at HHS.
"The intent was to go after anybody who made a knowing and willful decision to violate somebody's privacy, so that people wouldn't do that," said Dr. Braithwaite, currently senior vice president and chief medical officer for eHealth Initiative, a Washington, D.C.-based nonprofit group. "This [opinion] takes that away."
Still on the hook
But health lawyers say the government hasn't left itself completely without options to prosecute health care employees who misuse protected health information.
Most workers are still exposed to criminal liability even if they are not directly liable under HIPAA, said John Steiner, chief compliance officer at the Cleveland Clinic Health System. "The Dept. of Justice is saying we would not go after them under HIPAA per se, but we would probably, if the facts indicate, go after them on a different theory," such as conspiracy.
Normal principles of corporate liability also still apply, which means that clinics, hospitals and physician offices need to have their HIPAA policies and procedures firmly in place, Coyne said. If prosecutors cannot go after an employee with HIPAA criminal penalties, "they might look harder for some theory of corporate liability for the employee's act," she said. "The defense to that is going to be: 'Well, we had our policies in place, and this employee violated those policies.' "
Those convicted of a criminal violation under HIPAA face up to 10 years in prison and a $250,000 fine if they commit offenses "with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm."