Government

HIPAA memo could affect doctors' criminal liability

Privacy experts say a new Justice Dept. opinion indicates that criminal prosecutions of HIPAA violations will target covered entities but not others.

By Amy Snow Landa — Posted July 18, 2005

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A memo the Justice Dept. recently issued could make some physicians more susceptible to criminal prosecution under the federal medical privacy law and others less so, health lawyers and privacy experts say.

Released publicly on June 9, the memo is the first Justice Dept. statement to address criminal enforcement of patient privacy protections under the Health Insurance Portability and Accountability Act of 1996.

According to the opinion, HIPAA's criminal enforcement provision applies directly to "covered entities," which include physicians and other health professionals specified in the statute, health plans, health care clearinghouses and Medicare prescription drug card sponsors.

"In addition," the memo states, "depending on the facts of a given case, certain directors, officers, and employees of these entities may be directly liable." But the memo adds, "Other persons may not be directly liable under this provision."

That wording could offer physicians an important avenue for avoiding criminal liability under HIPAA, said Sarah Coyne, a partner at the law firm Quarles & Brady LLP in Madison, Wis., and a member of its health law group.

Whether an individual physician is a covered entity "wasn't all that important before," said Coyne, who represents doctors on regulatory compliance issues. "But it is now, in light of this opinion."

In many cases, there is no question as to whether a particular physician is a covered entity or not, Coyne said. For example, a physician with his or her own practice who submits electronic transactions is clearly a covered entity, whereas a physician who works only on paper clearly is not.

"But then there is this whole fuzzy middle ground, and it's never been crystal clear whether the typical physician who is employed by a group or hospital is a covered entity," Coyne said. "This opinion gives physicians an incentive to argue that they're not covered entities, but rather employees of covered entities."

Other implications

Physicians also need to be aware that the memo actually makes it easier for prosecutors to bring charges against those who are, in fact, covered entities, said Alan Goldberg, a partner at Goulston & Storrs in Washington, D.C., and adjunct professor of law at the University of Maryland School of Law and Suffolk University Law School, Boston.

Under HIPAA, criminal penalties apply to those who "knowingly" misuse other people's protected health data. In clarifying the meaning of the word "knowingly" in this context, the memo states that it requires proof only that the alleged perpetrator knew of the facts of the offense. It does not require proof the person knew what he or she was doing violated HIPAA.

In other words, the perpetrator "need not have an understanding of what the law means or what the law says" to be tried and convicted under HIPAA, Goldberg said. No one can claim innocence based on ignorance.

Perhaps the most controversial aspect of the Justice Dept. memo is that it indicates that most health care workers -- those who are not covered entities -- are not criminally liable for the misuse of another person's protected health information, at least not under HIPAA.

The opinion appears to undermine the only criminal conviction that federal prosecutors have won, or yet attempted, using HIPAA.

Last year in Seattle, the U.S. Attorney's Office used HIPAA to bring charges against a hospital lab technician who stole personal information from a cancer patient. The lab tech pleaded guilty in August and was sentenced to 16 months in prison.

Under the Justice Dept.'s recent interpretation of the statute, HIPAA no longer could be used in a case like that, said Robert Gellman, a privacy and information policy consultant in Washington, D.C.

In that regard, the Justice Dept. opinion clearly violates congressional intent, said William Braithwaite, MD, PhD, who wrote the HIPAA privacy language when he was a Senate staff member in 1994 and later served as senior adviser for health information policy at HHS.

"The intent was to go after anybody who made a knowing and willful decision to violate somebody's privacy, so that people wouldn't do that," said Dr. Braithwaite, currently senior vice president and chief medical officer for eHealth Initiative, a Washington, D.C.-based nonprofit group. "This [opinion] takes that away."

Still on the hook

But health lawyers say the government hasn't left itself completely without options to prosecute health care employees who misuse protected health information.

Most workers are still exposed to criminal liability even if they are not directly liable under HIPAA, said John Steiner, chief compliance officer at the Cleveland Clinic Health System. "The Dept. of Justice is saying we would not go after them under HIPAA per se, but we would probably, if the facts indicate, go after them on a different theory," such as conspiracy.

Normal principles of corporate liability also still apply, which means that clinics, hospitals and physician offices need to have their HIPAA policies and procedures firmly in place, Coyne said. If prosecutors cannot go after an employee with HIPAA criminal penalties, "they might look harder for some theory of corporate liability for the employee's act," she said. "The defense to that is going to be: 'Well, we had our policies in place, and this employee violated those policies.' "

Those convicted of a criminal violation under HIPAA face up to 10 years in prison and a $250,000 fine if they commit offenses "with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm."

Back to top


External links

Dept. of Justice memorandum opinion on the scope of HIPAA's criminal enforcement provision (link)

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn