DOJ Says HIPAA Criminal Liability Limited to Covered Entities

By Ben Butler

The U.S. Department of Justice (“DOJ”) has indicated criminal prosecution under the privacy-related provisions of the Health Insurance Portability and Accountability Act, P.L. 104-191 (“HIPAA”) will be limited to “covered entities”. In light of this narrowing scope, hospitals, health plans, and other covered entities must be particularly vigilant about maintaining compliance with HIPAA privacy, security, and transactions requirements so that they are not themselves prosecuted under remaining theories of liability, such as agency theory or conspiracy. Also, despite the impression that could be given by DOJ's determination, DOJ still says that senior corporate officials could still be criminally liable for a “covered entity's” misconduct in an egregious case.

In a June 1, 2005 memorandum issued by DOJ's Office of Legal Counsel, DOJ concludes that non-covered entities cannot violate the administrative simplification provisions of HIPAA (specifically, the United States Code, Title 42, Chapter 7, Subchapter XI, Part C) because these provisions “simply do[] not apply to them.” Under HIPAA, “covered entities” include health plans, health care clearinghouses, health care providers who transmit health information in electronic form in connection with a HIPAA-covered transaction, and Medicare prescription drug card sponsors.

The position taken by the DOJ appears to contradict the theory underlying the only criminal conviction to date; of Richard Gibson, a Seattle cancer center employee, who pled guilty to violating HIPAA and was later sentenced to 16 months in prison. As indicated in the summary, at the time of the conviction, the theory of the case appeared questionable given the language of the HIPAA statute. DOJ's Office of Legal Counsel now appears to have reached the same conclusion.

By narrowing the focus of possible criminal prosecution under HIPAA, DOJ has arguably “raised the stakes” for covered entities, who now may be the only remaining targets in some situations. If, as in the Gibson case, an individual employee engages in wrongful conduct involving protected health information, it will be critically important for a covered entity to be able to demonstrate that the employee was not acting in the scope of his or her employment. To this end, covered entities should be sure to take sufficient HIPAA compliance measures, such as an ongoing training and awareness, active enforcement of internal sanctions where appropriate, and maintenance of up-to-date policies and procedures.

Failure to take these measures may open the covered entity up to possible investigation under a theory of agency ( i.e., the employee was acting on behalf of the covered entity or with its knowledge) or conspiracy. Moreover, DOJ states that the criminal liability of a covered entity may even extend, in limited circumstances, “to individuals in managerial roles, including, at times, to individuals with no direct involvement in the offense . . . . [I]t may be that such individuals in particular cases may be prosecuted directly” under HIPAA.

Although federal enforcement of HIPAA to date has been limited, in the event of a high-profile misuse of patient information – as occurred in the Gibson case – prosecutors will want to ensure that someone is held responsible. Health plans, hospitals, and other covered entities must take the necessary measures to minimize exposure.